search

SecurityFTW / cs-suite

Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.
GNU General Public License v3.0
1.13k stars 217 forks source link

False positive in SNS_AUDIT #23

Open museadmin opened 5 years ago

museadmin commented 5 years ago

I am seeing a lot of false positives for the SNS Audit along these lines:

Warning: SNS topic arn:aws:sns:eu-west-2:nnnnnnnnnnnn:MGT-NONPROD-CONFIG-ALERTS is publicly accessible

When I look at the policy though:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:xxxxxxxxxxxxxx:MGT-NONPROD-CONFIG-ALERTS",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "xxxxxxxxxxxxxx"
        }
      }
    }
  ]
}

I'm not an expert on AWS but this reads to me like it is granting access to AWS:"*" and then imposing a condition of restricting it to the "AWS:SourceOwner"

Am I completely misinterpreting this or is it a bug?

shivankar-madaan commented 5 years ago

definitely a false positive thanks for reporting it I will get it fixed and review it again

museadmin commented 5 years ago

Cheers. If you let me know when the fix is available I'll pull it and rerun the scan for you