<  Back to rules search

SNS Topic has restrictions set for publishing

sns

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Update your Amazon Simple Notification Service (SNS) topic publishing permissions.

Rationale

Setting the topic publishing permission to Everyone gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.

Remediation

Console

Follow the Preventative best practices docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.

CLI

  1. Update your access control policy with the IAM user ARN. Configure action to SNS:Publish and include your AWS IAM ARN. Save the file.

    access-control-policy-pub.json

        {
          ...
          "Statement": [
            ...
            {
              "Sid": "console_pub",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
              },
              "Action": [
                "SNS:Publish"
              ],
              ...
            }
          ]
        }
        
  2. Run set-topic-attributes with the ARN of the SNS topic.

    set-topic-attributes.sh

        aws sns set-topic-attributes
          --topic-arn arn:aws:sns:region:123456789012:YourTopic
          --attribute-name DisplayName
          --attribute-value YourTopicDisplayName