cs-suite icon indicating copy to clipboard operation
cs-suite copied to clipboard
verified publisher icon SecurityFTW

False positive in SNS_AUDIT

Open museadmin opened this issue 7 years ago • 2 comments

I am seeing a lot of false positives for the SNS Audit along these lines:

Warning: SNS topic arn:aws:sns:eu-west-2:nnnnnnnnnnnn:MGT-NONPROD-CONFIG-ALERTS is publicly accessible

When I look at the policy though:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:xxxxxxxxxxxxxx:MGT-NONPROD-CONFIG-ALERTS",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "xxxxxxxxxxxxxx"
        }
      }
    }
  ]
}

I'm not an expert on AWS but this reads to me like it is granting access to AWS:"*" and then imposing a condition of restricting it to the "AWS:SourceOwner"

Am I completely misinterpreting this or is it a bug?

museadmin avatar Nov 12 '18 14:11 museadmin

definitely a false positive thanks for reporting it I will get it fixed and review it again

shivankar-madaan avatar Nov 14 '18 10:11 shivankar-madaan

Cheers. If you let me know when the fix is available I'll pull it and rerun the scan for you

museadmin avatar Nov 15 '18 09:11 museadmin