Detections
Analytics

Ensure CloudTrail created sns policy have a condition key with either aws:SourceArn or aws:SourceAccount condition key used in Amazon Simple Notification Service (SNS) Topic

LOW

Description

The policy is created by CloudTrail to send notifications about log file delivery from supported regions. By default this is an overly permissive policy. Thus, could impact in reading of sensitive data.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the SQS console.
  2. In the list of Queues, select the Queue to edit.
  3. Select the Access policy tab.
  4. Select Edit and then edit the policy accordingly.
  5. Select Save.

In Terraform -

  1. Review the policy attached to the aws_sqs_queue resource and ensure necessary changes are made.

References:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-add-permissions.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue

Policy Details

Rule Reference ID: AC_AWS_0491
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_sns_topic
Resource Category: Messaging
Resource Type: Simple Notification Service (SNS)

Frameworks