--- title: SNS topic publicity has allow and NotAction simultaneously description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SNS topic publicity has allow and NotAction simultaneously --- # SNS topic publicity has allow and NotAction simultaneously {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-sns-topic-publicity-has-allow-and-not-action-simultaneously` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) ### Description{% #description %} An SNS topic policy should not use both `"Effect": "Allow"` and the `"NotAction"` attribute together, as this grants permission to all actions except those explicitly denied, significantly increasing the potential attack surface. This misconfiguration can unintentionally allow broad access to the SNS topic, which may be exploited by attackers to perform unauthorized actions. To secure the policy, use the `"Action"` attribute alongside `"Effect": "Allow"`, as shown below: ``` { "Statement": [ { "Effect": "Allow", "Action": "s3:DeleteBucket", "Resource": "arn:aws:s3:::*" } ] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_sns_topic" "negative1" { name = "my-topic-with-policy" } resource "aws_sns_topic_policy" "negative2" { arn = aws_sns_topic.test.arn policy = <