SNS Topic should have restrictions set for publishing

Docs > Datadog Security > OOTB Rules > SNS Topic should have restrictions set for publishing

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Update your Amazon Simple Notification Service (SNS) topic publishing permissions.

Rationale

A resource-based policy attached to an SNS topic with a Principal of * and an Action of sns:Publish allows anyone to publish to a topic. Unauthenticated users can publish arbitrary messages, potentially leading to an impact for downstream applications.

Remediation

From the console

Follow the Preventative best practices docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.

From the command line

Update your access control policy with an appropriate Principal ARN. Save the file as policy.json.

{
  ...
  "Statement": [
    ...
    {
      "Sid": "console_pub",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "SNS:Publish"
      ],
      ...
    }
  ]
}

Run set-topic-attributes with the ARN of the SNS topic.

aws sns set-topic-attributes
  --topic-arn arn:aws:sns:region:123456789012:YourTopic
  --attribute-name Policy
  --attribute-value file://policy.json