SNS topic policy is public and access is not restricted to specific services or principals
Description
It is generally a best practice to restrict access to Amazon SNS topics to only the specific services or principals that require access. This can help to reduce the risk of unauthorized access to the data stored in your topics and protect against potential data breaches.
Code Example
go
resource "aws_sns_topic_policy" "sns_tp1" {
...
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[
{
"Principal": "*",
+ "Effect": "Deny",
"Action": [
"SNS:Subscribe",
"SNS:SetTopicAttributes",
"SNS:RemovePermission",
"SNS:Receive",
"SNS:Publish",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:AddPermission",
],
"Resource": "${aws_sns_topic.test.arn}"
}
]
}
POLICY
}Remediation
Terraform
- Resource: aws_sns_topic_policy
- Arguments: Statement
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0218 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_169 |