Ajinkya sns prevention #137
Conversation
| This script will print the ARNs of all unencrypted SNS topics. | ||
| </Accordion> | ||
|
|
||
| </AccordionGroup> |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| This script will print a warning for each SNS subscription that uses HTTP as the delivery protocol. You can modify it to suit your needs, for example by adding a remediation step or by sending an alert to a monitoring system. | ||
| </Accordion> | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ``` | ||
|
|
||
| This script will print out the ARNs of all SNS topics that are not encrypted using KMS CMKs. | ||
| </Accordion> |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| topic_arn = topic['TopicArn'] | ||
| policy_response = sns_client.get_topic_attributes(TopicArn=topic_arn) | ||
| policy = json.loads(policy_response['Attributes']['Policy']) | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ``` | ||
| This script will print the ARN of all SNS topics that are exposed to the public. | ||
| </Accordion> | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| print(f'Topic ARN: {topic_arn}\nPolicy: {policy}\n') | ||
| ``` | ||
|
|
||
| 4. Analyze the policies: The policy of each SNS topic is a JSON string. You can convert it to a Python dictionary using the `json.loads` method and then check if it allows global subscribe. If the "Principal" in the policy is "*", it means the topic allows global subscribe. Here is how you can modify the above script to detect such topics: |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ```python | ||
| import os | ||
| os.environ['AWS_ACCESS_KEY_ID'] = 'your_access_key' | ||
| os.environ['AWS_SECRET_ACCESS_KEY'] = 'your_secret_access_key' |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| if int(topic_attributes['Attributes']['SubscriptionsConfirmed']) == 0: | ||
| print(f"SNS Topic {topic_arn} doesn't have any subscriptions.") | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
No description provided.