For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-sns-topic-is-publicly-accessible.md. A documentation index is available at /llms.txt.

SNS topic is publicly accessible

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-sns-topic-is-publicly-accessible

Provider: AWS

Platform: CloudFormation

Severity: Critical

Category: Access Control

Learn More

Description

SNS topic policies must not grant Allow permissions to all principals because that effectively makes the topic public. This can allow unauthenticated users or arbitrary AWS accounts to publish to or subscribe from the topic, risking data exposure, spam, and abuse.

Check AWS::SNS::TopicPolicy resources’ Properties.PolicyDocument.Statement entries. Any statement with Effect: "Allow" and Principal: "*", or Principal.AWS: "*", will be flagged.

To remediate, require explicit principals such as AWS account ARNs or service principals, or use scoped conditions for cross-account access rather than wildcard principals. Statements that list wildcard principals, or omit principal restrictions, should be corrected.

Secure configuration example (CloudFormation YAML):

MyTopicPolicy:
  Type: AWS::SNS::TopicPolicy
  Properties:
    Topics:
      - !Ref MyTopic
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456789012:root
          Action:
            - sns:Publish
          Resource: !Ref MyTopic

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  snsPolicy:
      Type: AWS::SNS::TopicPolicy
      Properties:
        PolicyDocument:
          Statement: [
            {
              "Sid": "MyTopicPolicy",
              "Effect": "Allow",
              "Principal": "otherPrincipal",
              "Action": ["sns:Publish"],
              "Resource": "arn:aws:sns:MyTopic"
            }]

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "",
  "Resources": {
    "mysnspolicy0" : {
      "Type" : "AWS::SNS::TopicPolicy",
      "Properties" : {
        "PolicyDocument" :  {
          "Id" : "MyTopicPolicy",
          "Version" : "2012-10-17",
          "Statement" : [ {
            "Sid" : "My-statement-id",
            "Effect" : "Allow",
            "Principal" : "otherPrincipal",
            "Action" : "sns:Publish",
            "Resource" : "*"
          } ]
        },
        "Topics" : [ { "Ref" : "MySNSTopic" } ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  snsPolicy:
      Type: AWS::SNS::TopicPolicy
      Properties:
        PolicyDocument:
          Statement: [
            {
              "Sid": "MyTopicPolicy",
              "Effect": "Allow",
              "Principal": "*",
              "Action": ["sns:Publish"],
              "Resource": "arn:aws:sns:MyTopic"
            }]

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "",
  "Resources": {
    "mysnspolicy0" : {
      "Type" : "AWS::SNS::TopicPolicy",
      "Properties" : {
        "PolicyDocument" :  {
          "Id" : "MyTopicPolicy",
          "Version" : "2012-10-17",
          "Statement" : [ {
            "Sid" : "My-statement-id",
            "Effect" : "Allow",
            "Principal" : "*",
            "Action" : "sns:Publish",
            "Resource" : "*"
          } ]
        },
        "Topics" : [ { "Ref" : "MySNSTopic" } ]
      }
    }
  }
}