1. Open the AWS Management Console and navigate to the SNS service.
2. Click on the SNS topic that needs to be remediated.
3. In the topic details page, click on the “Access Policy” tab.
4. Click on the “Edit” button to modify the access policy.
5. In the access policy editor, remove the following statement:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:*:*:*"
}

6. Click on the “Save Changes” button to save the updated access policy.
7. Verify that the access policy no longer allows global publishing by checking that the Principal is no longer set to "*".
8. Repeat these steps for any other SNS topics that need to be remediated.

​

1. Open the AWS CLI on your system.
2. Run the following command to list all the SNS topics in your AWS account:
   Copy

   Ask AI

   aws sns list-topics
   

3. Identify the ARN of the SNS topic that needs to be remediated.
4. Run the following command to update the SNS topic policy to disallow global publishing:
   Copy

   Ask AI

   aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":"*","Action":"SNS:Publish","Resource":"<topic-arn>","Condition":{"StringEquals":{"AWS:SourceOwner":"<aws-account-id>"}}}]}'
   

   Replace <topic-arn> with the ARN of the SNS topic identified in step 3 and <aws-account-id> with your AWS account ID.
5. Verify that the SNS topic policy has been updated successfully by running the following command:
   Copy

   Ask AI

   aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
   

   This command should return the updated policy that disallows global publishing.
6. Repeat steps 3-5 for all the SNS topics in your AWS account that allow global publishing.

1. Create an AWS SNS client using the Boto3 library in Python.

import boto3

sns_client = boto3.client('sns')

2. Get the list of all SNS topics using the list_topics() method.

response = sns_client.list_topics()
topics = response['Topics']

3. For each topic, check if it has the Policy attribute set. If it does, retrieve the policy using the get_topic_attributes() method.

for topic in topics:
    topic_arn = topic['TopicArn']
    response = sns_client.get_topic_attributes(TopicArn=topic_arn)
    policy = response.get('Attributes', {}).get('Policy')

4. If the policy exists, parse it using the json module and check if it allows global publishing. If it does, update the policy to disallow global publishing using the set_topic_attributes() method.

import json

if policy:
    policy_json = json.loads(policy)
    if 'Statement' in policy_json:
        for statement in policy_json['Statement']:
            if (statement.get('Effect') == 'Allow' and 
                statement.get('Principal') == '*'):
                policy_json['Statement'].remove(statement)
        new_policy = json.dumps(policy_json)
        sns_client.set_topic_attributes(TopicArn=topic_arn, 
                                         AttributeName='Policy', 
                                         AttributeValue=new_policy)

5. Once all the policies have been updated, the misconfiguration has been remediated.