1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/.
2. In the navigation pane, choose Topics.
3. Select the SNS topic that you want to remediate.
4. Choose the Access policy tab.
5. In the Access policy editor, locate the statement that grants global subscribe permissions. It should look like this:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "SNS:Subscribe",
  "Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "123456789012"
    }
  }
}

6. Remove the "Principal": "*" line from the statement to restrict subscriptions to only AWS accounts that you explicitly specify.
7. Choose Save changes to update the access policy for the SNS topic.

​

1. Open the AWS CLI on your local machine or EC2 instance.
2. Run the following command to list all the SNS topics in your AWS account:
   Copy

   Ask AI

   aws sns list-topics
   

3. Identify the SNS topic(s) that have global subscription enabled.
4. Run the following command to update the policy of the identified SNS topic(s) to disallow global subscription:
   Copy

   Ask AI

   aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":{"AWS":"*"},"Action":"SNS:Subscribe","Resource":"<topic-arn>"}]}'
   

   Replace <topic-arn> with the ARN of the identified SNS topic.
5. Verify that the policy has been updated successfully by running the following command:
   Copy

   Ask AI

   aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
   

   Replace <topic-arn> with the ARN of the identified SNS topic.
6. Repeat steps 3-5 for all the SNS topics that have global subscription enabled.

1. First, you need to get a list of all the SNS topics in your AWS account using the boto3 library in Python. You can use the following code snippet to achieve this:

import boto3

sns = boto3.client('sns')
response = sns.list_topics()
topics = response['Topics']

2. Once you have the list of all SNS topics, you can iterate through each topic and check if it allows global subscriptions. To do this, you need to get the policy of the SNS topic using the get_topic_attributes method and then check if the policy allows global subscriptions. You can use the following code snippet to achieve this:

for topic in topics:
    topic_arn = topic['TopicArn']
    attributes = sns.get_topic_attributes(TopicArn=topic_arn)
    policy = attributes['Attributes']['Policy']
    if 'AllowEveryoneToSubscribe' in policy:
        # Remove the global subscription permission
        policy = policy.replace('"AllowEveryoneToSubscribe": "true"', '"AllowEveryoneToSubscribe": "false"')
        # Update the policy
        sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)

3. Finally, you need to test the remediation by checking if the SNS topics still allow global subscriptions. You can use the same code snippet in step 2 to check the policy of each SNS topic and make sure that the “AllowEveryoneToSubscribe” parameter is set to “false”.