SNS topic access policies should not allow public access
Description
This control checks if the Amazon SNS topic access policy allows public access. This control fails if the SNS topic access policy allows public access. You use an Amazon SNS access policy with a particular topic to restrict who can work with that topic (for example, who can publish messages to it or who can subscribe to it). SNS policies can grant access to other AWS accounts, or to users within your own AWS account. Providing a wildcard (*) in the Principal field of the topic policy and a lack of conditions to limit the topic policy can result in data exfiltration, denial of service, or undesired injection of messages into your service by an attacker.
Remediation
To remediate this issue, update the SNS topic access policy to remove public access permissions. Remove statements that have Principal: '*' without restrictive conditions, or add conditions that limit access to specific AWS accounts or IP addresses.
Steps
- Open the Amazon SNS console.
- Select the SNS topic with the public access policy.
- Go to the 'Access policy' section in the topic's settings.
- Review the policy statements and identify any that have Principal: '*'.
- Either remove these statements or add conditions (such as SourceAccount or SourceArn) to restrict access.
- Save the updated access policy.