Ensure AWS SNS topic policies do not allow cross-account access
Description
This policy checks whether AWS SNS topic policies allow cross-account access without any conditions. Allowing cross-account access without conditions can lead to unintended access to sensitive resources. It is essential to restrict access to specific accounts and add conditions to ensure that the access is granted only when necessary. By doing so, you can prevent unauthorized access and reduce the risk of security breaches.
Code Example
terraform
resource "aws_sns_topic_policy" "example" {
arn = aws_sns_topic.example.arn
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sns:Publish",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789012"
}
}
}
]
})
}Remediation
Ensure that the SNS topic policy does not allow cross-account access without conditions. You can achieve this by adding conditions to the policy statement or by restricting access to specific accounts.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0432 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | aws_sns_topic_policy |
| Checkov ID | CKV_AWS_385 |