| Plugin Title | SNS Topic Policies |
| Cloud | AWS |
| Category | SNS |
| Description | Ensures SNS topics do not allow global send or subscribe. |
| More Info | SNS policies should not be configured to allow any AWS user to subscribe or send messages. This could result in data leakage or financial DDoS. |
| AWS Link | http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html |
| Recommended Action | Adjust the topic policy to only allow authorized AWS users in known accounts to subscribe. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for SNS.
- In the left navigation panel, select Topics under SNS Dashboard.
- Select the Topic by clicking on the ID.
- In the Topic configuration page, scroll down and click on "Access policy" tab.
- Check the value of "Prinicipal" key. If it's set to (*) everyone then this topic allows access to everyone.
- To change the access policy, click on the "Edit" button at the top of the page.
- On the "Edit topic" page, scroll down to "Access policy" and in the "JSON editor" change the "Principal" key with the correct IAM role ARN eg. arn:aws:iam::066531304300:user/dev27.
- Click on "Save changes" button at the bottom of the page.
- Repeat step 3-9 for all other SNS Topics across all regions.
