SNS Topic is Publicly Accessible
- Query id: b26d2b7e-60f6-413d-a3a1-a57db24aa2b3
- Query name: SNS Topic is Publicly Accessible
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- CWE: 284
- Risk score: 8.8
- URL: Github
Description¶
SNS Topic Policy should not allow any principal to access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_sns_topic" "positive1" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "*",
"Principal": {
"AWS": "*"
},
"Resource": "*"
}
]
}
EOF
}
Positive test num. 2 - tf file
module "sns_topic_with_policy_field" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-policy"
topic_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccounts",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "*"
}
]
}
EOF
}
Positive test num. 3 - tf file
module "sns_topic_with_policy_statements_valid" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-statements-valid"
topic_policy_statements = [
{
sid = "AllowSpecificPrincipal"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["*"]
}
]
}
]
}
Positive test num. 4 - tf file
module "sns_topic_with_policy_statements_not_limited_access" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-statements-valid"
topic_policy_statements = [
{
sid = "AllowSpecificPrincipal"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["*"]
}
]
condition = {
"StringEquals" = {
"sns:Endpoint" = "https://example.com/endpoint"
}
}
}
]
}
Positive test num. 5 - tf file
resource "aws_sns_topic" "positive1" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pos1_1",
"Effect": "Allow",
"Action": "*",
"Principal": {
"AWS": "*"
},
"Resource": "*"
},
{
"Sid": "neg",
"Effect": "Allow",
"Action": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Resource": "*"
},
{
"Sid": "pos1_2",
"Effect": "Allow",
"Action": "*",
"Principal": {
"AWS": "*"
},
"Resource": "*"
}
]
}
EOF
}
Positive test num. 6 - tf file
module "sns_topic_with_policy_field" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-policy"
topic_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccounts",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "AllowAllAccounts",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "AllowAllAccounts",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "*"
}
]
}
EOF
}
Positive test num. 7 - tf file
module "sns_topic_with_policy_statements_valid" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-statements-valid"
topic_policy_statements = [
{
sid = "AllowSpecificPrincipal"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["*"]
}
]
},
{
sid = "AllowSpecificPrincipal"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::123456789012:root"]
}
]
},
{
sid = "AllowSpecificPrincipal2"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["*"]
}
]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_sns_topic" "negative1" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Principal": {
"AWS": "arn:aws:iam::##account_number##:root"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
Negative test num. 2 - tf file
resource "aws_sns_topic" "negative2" {
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"*"
],
"Resource": "arn:aws:sns:${var.aws_region}:${var.aws_account_number}:forensics_sns_topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "${var.aws_account_number}"
}
}
}
]
}
EOF
}
Negative test num. 3 - tf file
resource "aws_sns_topic" "negative3" {
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"*"
],
"Resource": "arn:aws:sns:${var.aws_region}:${var.aws_account_number}:forensics_sns_topic",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "${var.aws_account_number}"
}
}
}
]
}
EOF
}
Negative test num. 4 - tf file
resource "aws_sns_topic" "negative4" {
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"*"
],
"Resource": "arn:aws:sns:${var.aws_region}:${var.aws_account_number}:forensics_sns_topic",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${var.aws_account_number}"
}
}
}
]
}
EOF
}
Negative test num. 5 - tf file
module "sns_topic_with_policy_field" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-policy"
topic_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccounts",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}
EOF
}
Negative test num. 6 - tf file
module "sns_topic_with_policy_statements" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-statements"
topic_policy_statements = [
{
sid = "AllowVPCEAccess"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["*"]
}
]
condition = {
StringEquals = {
"aws:VpceAccount" = "987654321098"
}
}
}
]
}
Negative test num. 7 - tf file
module "sns_topic_with_policy_field_valid" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-policy-valid"
topic_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sns:Publish",
"Resource": "*"
}
]
}
EOF
}
Negative test num. 8 - tf file
module "sns_topic_with_policy_statements_valid" {
source = "terraform-aws-modules/sns/aws"
version = "~> 6.0"
name = "example-sns-topic-statements-valid"
topic_policy_statements = [
{
sid = "AllowSpecificPrincipal"
effect = "Allow"
actions = ["sns:Publish"]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::123456789012:root"]
}
]
}
]
}