Skip to main content

More Info:

Your SNS topics should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. This can prevent data leaks and avoid unexpected costs on your AWS bill.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS, you can follow the below steps:
  1. Open the AWS SNS console at https://console.aws.amazon.com/sns/.
  2. Select the SNS topic that you want to remediate.
  3. Click on the “Access Policy” button under the “Permissions” section on the left side of the console.
  4. Review the access policy to ensure that there is no cross-account access granted to the SNS topic.
  5. If there is cross-account access granted, click on the “Edit” button to modify the access policy.
  6. Remove any statements that grant cross-account access to the SNS topic.
  7. Click on the “Save Changes” button to save the modified access policy.
After following these steps, the SNS topic will no longer have cross-account access and the misconfiguration will be remediated.

To remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the SNS topics in your AWS account: 
aws sns list-topics
  1. Identify the SNS topic that has cross-account access.
  2. Run the following command to remove cross-account access from the SNS topic: 
aws sns remove-permission --topic-arn <topic-arn> --label <permission-label>
Replace <topic-arn> with the ARN of the SNS topic that has cross-account access. Replace <permission-label> with the label of the permission that you want to remove.
  1. Run the following command to verify that the cross-account access has been removed:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
Replace <topic-arn> with the ARN of the SNS topic that you want to verify.
  1. If the output of the above command shows that the policy for the SNS topic still has cross-account access, then you need to update the policy for the SNS topic.
  2. Run the following command to update the policy for the SNS topic: 
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value "{}"
Replace <topic-arn> with the ARN of the SNS topic that you want to update.
  1. Run the following command to verify that the policy for the SNS topic has been updated:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
Replace <topic-arn> with the ARN of the SNS topic that you want to verify.
  1. Repeat steps 3 to 8 for all the SNS topics in your AWS account that have cross-account access.
By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI.
To remediate the misconfiguration of SNS Topics having cross-account access in AWS using python, you can follow the below steps:
  1. Identify the SNS Topics that have cross-account access.
  2. Revoke the cross-account access for those SNS Topics.
  3. Verify that the cross-account access has been revoked successfully.
Here is the python code to remediate the misconfiguration:
import boto3

# Create an SNS client
sns = boto3.client('sns')

# Get all SNS Topics
topics = sns.list_topics()

# Loop through each topic
for topic in topics['Topics']:
    topic_arn = topic['TopicArn']
    
    # Get the topic policy
    policy = sns.get_topic_attributes(TopicArn=topic_arn)['Attributes']['Policy']
    
    # Check if the policy allows cross-account access
    if 'Statement' in policy:
        for statement in policy['Statement']:
            if 'Condition' in statement and 'ArnLike' in statement['Condition']:
                for arn in statement['Condition']['ArnLike'].values():
                    if 'AWS:*:*:' in arn:
                        print(f"Revoking cross-account access for {topic_arn}")
                        
                        # Revoke the cross-account access
                        statement['Condition']['ArnLike'] = {}
                        sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)
                        
                        print(f"Cross-account access revoked for {topic_arn}")
Note: This code will revoke cross-account access for all SNS Topics that have a policy allowing it. It is important to review the policy before revoking access to ensure that it is not needed for any legitimate use case.

Additional Reading:

I