SNS Topic should have access restrictions set for subscription

sns
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Update your Amazon Simple Notification Service (SNS) topic resource-based policy to prevent unintended access to the resource.

Rationale

When a * is specified as a Principal, along with an Allow Effect it grants anyone the ability to perform actions on a resource. In this situation, if the policy includes the sns:Subscribe Action, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.

Remediation

From the console

Follow the Preventative best practices docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.

From the command line

  1. Update your resource-based policy with an appropriate Principal ARN or a Condition element. Save the file as policy.json.

    {
  ...
  "Statement": [
    ...
    {
      "Sid": "console_sub",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "SNS:Subscribe"
      ],
      ...
    }
  ]
}

  2. Run set-topic-attributes with the ARN of the SNS topic.

    aws sns set-topic-attributes \
  --topic-arn arn:aws:sns:region:123456789012:YourTopic \
  --attribute-name Policy \
  --attribute-value file://policy.json