2.9 Ensure SNS Topics do not Allow Everyone To Publish


Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients. In Amazon SNS, there are two types of clients--publishers and subscribers--also referred to as producers and consumers. Publishers communicate asynchronously with subscribers by producing and sending a message to a topic, which is a logical access point and communication channel. Subscribers (i.e., web servers, email addresses, Amazon SQS queues, AWS Lambda functions) consume or receive the message or notification over one of the supported protocols (i.e., Amazon SQS, HTTP/S, email, SMS, Lambda) when they are subscribed to the topic.

The entities who can publish messages to a SNS topic can be controlled by modifying the topic policy, and they can be:

* The topic owner
* Everyone
* Specific AWS users or resources

From the above message publisher options you should make sure that "Everyone" is not used with any SNS topic in the AWS account.
If a SNS topic policy allows "Everyone" to publish messages to a specific topic, this could pose a security risk as any unauthenticated entity could send malicious messages to all the topic subscribers.


Edit your existing policy by deleting the above snippet or replacing "Principal":{"AWS" : "*"} with "Principal":{"AWS" : "_<iam_user>_"}, and save it locally as a .json file named policy.json.

Using the Amazon unified command line interface:

* Set the new policy to the SNS topic

aws sns set-topic-attributes --topic-arn <_sns_topic_arn>_ --attribute-name Policy --attribute-value file://policy.json

See Also