SNS topic policies are analyzed for public principals (e.g., *). Topics that grant access without restrictive conditions such as aws:SourceArn, aws:SourceAccount, aws:PrincipalOrgID, or sns:Endpoint scoping are treated as publicly accessible.
Risk
Public SNS topics allow anyone or unknown accounts to:
- Subscribe and siphon messages (confidentiality)
- Publish spoofed payloads that alter workflows (integrity)
- Flood messages causing outages and costs (availability) They also enable cross-account abuse and bypass expected trust boundaries.
Run this check with Prowler CLI
prowler aws --checks sns_topics_not_publicly_accessible
Recommendation
Restrict the topic policy to specific principals and minimal actions:
- Avoid
Principal:* - Allow only needed actions (e.g.,
sns:Publish) - Add conditions like
aws:SourceArn,aws:SourceAccount,aws:PrincipalOrgID, orsns:EndpointApply least privilege, separate duties, and review policies regularly.
Remediation
CLI
aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name Policy --attribute-value '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<ACCOUNT_ID>:root"},"Action":"sns:Publish","Resource":"<TOPIC_ARN>"}]}'
Native IaC
Terraform
Other
- Open the Amazon SNS console and select Topics
- Choose the topic and go to the Access policy tab
- Edit the policy and remove any Principal set to "*" (Everyone/Public)
- Add a statement allowing only your account root: Principal = arn:aws:iam::<ACCOUNT_ID>:root with Action sns:Publish and Resource set to the topic ARN
- Save changes
Source Code
Resource Type
AwsSnsTopic