SNS topic publicity has allow and NotAction simultaneously This product is not supported for your selected
Datadog site . (
).
Id: terraform-aws-sns-topic-publicity-has-allow-and-not-action-simultaneously
Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More Description An SNS topic policy should not use both "Effect": "Allow" and the "NotAction" attribute together, as this grants permission to all actions except those explicitly denied, significantly increasing the potential attack surface. This misconfiguration can unintentionally allow broad access to the SNS topic, which may be exploited by attackers to perform unauthorized actions. To secure the policy, use the "Action" attribute alongside "Effect": "Allow", as shown below:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*"
}
]
}
Compliant Code Examples resource "aws_sns_topic" "negative1" {
name = "my-topic-with-policy"
}
resource "aws_sns_topic_policy" "negative2" {
arn = aws_sns_topic . test . arn
policy = < < POLICY
{
"Version" : "2012-10-17" ,
"Id" : "MYPOLICYTEST" ,
"Statement" : [
{
"Action" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::*" ,
"Sid" : "MyStatementId" ,
"Effect" : "Allow"
}
]
}
POLICY
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = < < POLICY
{
"Version" : "2012-10-17" ,
"Id" : "MYPOLICYTEST" ,
"Statement" : [
{
"Action" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::*" ,
"Sid" : "MyStatementId" ,
"Effect" : "Allow"
}
]
}
POLICY
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . mykey . arn
sse_algorithm = "aws:kms"
}
}
}
}
Non-Compliant Code Examples resource "aws_sns_topic" "positive1" {
name = "my-topic-with-policy"
}
resource "aws_sns_topic_policy" "positive2" {
arn = aws_sns_topic . test . arn
policy = < < POLICY
{
"Version" : "2012-10-17" ,
"Id" : "MYPOLICYTEST" ,
"Statement" : [
{
"NotAction" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::*" ,
"Sid" : "MyStatementId" ,
"Effect" : "Allow"
}
]
}
POLICY
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = < < POLICY
{
"Version" : "2012-10-17" ,
"Id" : "MYPOLICYTEST" ,
"Statement" : [
{
"NotAction" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::*" ,
"Sid" : "MyStatementId" ,
"Effect" : "Allow"
}
]
}
POLICY
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . mykey . arn
sse_algorithm = "aws:kms"
}
}
}
}
resource "aws_sns_topic_policy" "multi_statement" {
arn = aws_sns_topic . example . arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Safe",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:example"
},
{
"Sid": "Vulnerable",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"NotAction": "SNS:DeleteTopic",
"Resource": "arn:aws:sns:us-east-1:123456789012:example"
}
]
}
POLICY
}
resource "aws_sns_topic_policy" "jsonencoded" {
arn = aws_sns_topic . example . arn
policy = jsonencode ({
Version = "2012-10-17"
Statement = [
{
Sid = "JsonEncodedVulnerable"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::123456789012:root" }
NotAction = "SNS:DeleteTopic"
Resource = "arn:aws:sns:us-east-1:123456789012:example"
}
]
})
}
