CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00282
- creditSnyk Research Team
Description
Using a wildcard will grant unnecessary access to any user in the account.
How to fix?
Configure the aws_sns_topic policy field or the aws_sns_topic_policy resource with a valid principal.
If a SNS policy is defined in either an aws_sns_topic policy field or an aws_sns_topic_policy resource, ensure the JSON document does NOT contain an invalid principal:
- Invalid principals:
"*""AWS": "*"
Example Configuration
resource "aws_sns_topic" "example" {
name = "example"
# other required fields here
}
resource "aws_sns_topic_policy" "example" {
arn = aws_sns_topic.example.arn
policy = data.aws_iam_policy_document.sns_topic_policy.json
}
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "sns_topic_policy" {
statement {
effect = "Allow"
actions = [
"SNS:Subscribe",
"SNS:SetTopicAttributes",
"SNS:RemovePermission",
"SNS:Receive",
"SNS:Publish",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:AddPermission",
]
principals {
type = "AWS"
identifiers = [
"${data.aws_caller_identity.current.account_id}",
]
}
resources = [
aws_sns_topic.example.arn,
]
}
}
Set Principal attribute in the policy to specific entities for example arn:aws:iam::123456789012:user/JohnDoe.