1. Help Center
  2. AWS Knowledge Base
  3. Amazon Simple Notification Service (SNS)

SNS Cross-Account Access

This plugin ensures that cross-account access is prohibited by SNS policies.

Risk Level: MEDIUM

Description:

This plugin ensures that cross-account access is prohibited by SNS policies. To subscribe or send messages, SNS topic policies should be carefully limited. These privileges can be limited using topic policies.


Recommended Action: Update the SNS policy to prevent access from external accounts.

About the Service :

Amazon SNS (Amazon Simple Notification Service) is a managed service that delivers messages from publishers to subscribers (also known as producers and consumers). Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication route for subscribers. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messaging (SMS).

Impact: 

Using overly permissive settings that allow unknown cross-account access to your SNS topics might lead to unauthorized behaviours including intercepting and publishing messages, as well as subscribing to the exposed topics. If proper SNS policies are not applied, you risk data leaks and unexpected expenditures on your AWS subscription.

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine.
  5. Under the Access Policy panel, check out the access policy.
  6. Check the value of the AWS account ID or the AWS account ARN and verify if it is authentic.
  7. If not, then the cross-account access to the selected topic is not secured.
  8. Repeat steps no. 4-7 for other topics in the selected region as well as for other AWS regions

Steps for remediation :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine.
  5. Under the Access Policy panel, check out the access policy.
  6. Check the value of the AWS account ID or the AWS account ARN and verify if it is authentic.
  7. Replace the ARN value with an authentic value and Click on Save Changes.
  8. Cross account access is secured for the selected topic.
  9. Repeat steps no. 4-7 for other topics in the selected region as well as for other AWS regions.

References: