This repository has been archived by the owner on Jan 11, 2021. It is now read-only.
Ensure all data stored in the SNS topic is encrypted #27
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Background
When I audited the proposed recipes, templates, and code, I came across a security misconfiguration for a sensitive SNS topic. The topic introduces a vulnerability into ones' AWS infrastructure.
Affected file:
CloudFormationTemplates/SecurityAlerts-Master-001-SNSTopic-Global.yml
Applicable Lines:
7-11
Unexpected behavior:
One is able to view my security alerts in clear-text.
Expected behavior:
Only those users, roles, groups, and policies that have access to the decryption key (and / or service integrated with the applicable CMK) are able to view the clear-text security alerts. All others are only able to view ciphertext.
Description
Amazon SNS is a pub/sub messaging service. When one publish messages to encrypted topics, customer master keys (CMK) and AWS-managed CMKs may be used to encrypt ones messages messages.
Rationale
If these are used in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, GDPR, APRA, MAS, NIST 800-53 (Rev. 4), FedRAMP, and / or adhere to AWS Well-Architected Framework, one will need to ensure sensitive data messages passed in this service are encrypted at rest. An effective control to mitigate some data leakage risks.
Potential Remediations
Build time
Terraform
resource "aws_sns_topic" "user_updates" {
name = "user-updates-topic"
kms_master_key_id = "alias/aws/sns"
Resource: aws_sns_topic
Argument: kms_master_key_id - (Optional) The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK.
Run time
Navigate to the SNS console in AWS and select Topics on the left.
Open a topic.
Click the Edit button in the top-right corner.
Under Encryption, select **Enable encryption
Choose a customer master key - one can use the default AWS key or a custom key in KMS.
CLI
aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name "KmsMasterKeyId" --attribute-value <KEY>The ARN format is arn:aws:sns:REGION:ACCOUNTID:TOPIC_NAME
The key is a reference to a KMS key or alias. Use alias/aws/sns for the default AWS key.
Notes:
There is no warranty of usage / liability and / or notification of this vulnerability (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration) with documented work arounds. It isn't clear one knowingly accepts this risk when they deploy NCC Group's provided, affected CloudFormation code.
References
https://docs.amazonaws.cn/en_us/sns/latest/dg/sns-security-best-practices.html
https://docs.aws.amazon.com/sns/latest/dg/sns-data-encryption.html
The text was updated successfully, but these errors were encountered: