SNS Topic is Publicly Accessible
- Query id: ae53ce91-42b5-46bf-a84f-9a13366a4f13
- Query name: SNS Topic is Publicly Accessible
- Platform: CloudFormation
- Severity: Critical
- Category: Access Control
- CWE: 284
- Risk score: 8.8
- URL: Github
Description¶
SNS Topic Policy should not allow any principal to access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic"
}]
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals":
{
"sns:Endpoint": "my_email_address@example.com"
}
}
}]
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"mysnspolicy0" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : "*",
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "MySNSTopic" } ]
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"snsPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals": {
"sns:Endpoint": "my_email_address@example.com"
}
}
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "otherPrincipal",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic"
}]
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals":
{
"aws:SourceAccount": "123456789012"
}
}
}]
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals":
{
"aws:ResourceAccount": "123456789012"
}
}
}]
Negative test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals":
{
"aws:SourceOwner": "123456789012"
}
}
}]
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"mysnspolicy0" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : "otherPrincipal",
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "MySNSTopic" } ]
}
}
}
}
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"snsPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
}
}
}
}
Negative test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"snsPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals": {
"aws:VpceAccount": "123456789012"
}
}
}
]
}
}
}
}
}
Negative test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"snsPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:MyTopic",
"Condition": {
"StringEquals": {
"aws:SourceOwner": "123456789012"
}
}
}
]
}
}
}
}
}