Detection: SNS Topic Granted Public Access
Overview
Detect when an Amazon SNS topic was granted public access. Publicly accessible SNS topics expose sensitive messaging workflows to unauthorized access, increasing the risk of message interception, data breaches, and resource abuse. Restricting access to trusted entities ensures secure messaging and aligns with best practices.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.sns_topic_granted_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.sns_topic_granted_public_access --shareSQL
This detection uses a named query:
with policy as ( select *, unnest( from_json((request_parameters ->> 'attributeValue' -> 'Statement'), '["JSON"]') ) as statement_item from aws_cloudtrail_log where event_source = 'sns.amazonaws.com' and event_name = 'SetTopicAttributes' and (request_parameters ->> 'attributeName') = 'Policy')select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'topicArn' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from policywhere (statement_item ->> 'Effect') = 'Allow' and (json_contains((statement_item -> 'Principal'), '{"AWS":"*"}') or ((statement_item ->> 'Principal') = '*')) and error_code is null
order by event_time desc;