Quick Start Security for Amazon SNS
Thank you!
We got your information.
Coralogix Extension For Amazon SNS Includes:
Alerts - 9
Stay on top of Amazon SNS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
SNS access policy has changed
The access policy to SNS configuration has changed. Depending on the change, it could allow a user to add, change or delete topics, messages, subscribers, or alarms. Impact Depending on the permissions, it could lead to data loss, spamming, loss of productivity, or excessive costs. Mitigation Verify with the user who initiated the change that it was intentional and authorized. Revert changes and investigate further if not. MITRE Tactic: TA0003 MITRE Technique: T1098
A topic was deleted
An SNS topic was deleted. SNS Topics are used to send information to subscribes which depending on the implementation could range from email updates to triggering software automation processes. Impact Depending on the topic deleted, it could disrupt normal business or system operations, automated processes, or a customer update mechanism (like email updates). Mitigation Verify with the deleting user that the topic was intended to be deleted, if not, restore and further investigate. MITRE Tactic: TA0005 MITRE Technique: T1562
SNS topic was created with public subscribe permissions
An SNS topic with public subscribe permissions can allow anyone to receive messages from this topic. Impact An SNS topic open to subscription can cause a loss of critical business data or expose internal company information to attackers. Mitigation Verify with the creating user that the topic was intended to be created as public, if not, restrict permissions accordingly. MITRE Tactic: TA0009 MITRE Technique: T1213
A less secure Server-Side encryption policy created
According to best practices you should encrypt your SNS topics with a customized KMS key. This alert triggers when the default AWS encryption was chosen instead of a customized one. If you organizational policies permits the use of the default AWS encryption, consider snoozing or removing this alert. Impact Using default encryption is not a best practice and can lead to data leakage and exposure of internal information to attackers. Mitigation Verify if the default encryption was chosen on purpose or as an oversight. Consider changing the configuration to encrypt the topic with a customized KMS key. MITRE Tactic: TA0040 MITRE Technique: T1565
SNS Topic was created with Public publish permissions
An SNS topic with public publish permissions can allow anyone to send messages to this topic. Impact A public SNS topic can cause spamming, degradation of service or trigger internal actions depending on the topic. Mitigation Verify with the creating user that the topic was intended to be created as public, if not, restrict permissions accordingly. MITRE Tactic: TA0009 MITRE Technique: T1213
Server-Side Encryption for AWS SNS Topics was disabled
Unencrypted SNS messages can expose sensitive information, it is a best practice to keep encryption enabled. Impact An unencrypted SNS topic can cause data leakage and expose internal information to attackers. Mitigation Verify why SSE was disabled. Enabled it back and further investigate if the action looks suspicious or was unauthorized. MITRE Tactic: TA0040 MITRE Technique: T1565
Building Block - SNS Enumerated by Previously Unseen User
This alert triggers when the Amazon Simple Notification Service (SNS) is enumerated by a previously unseen user. Impact Attackers with the correct permissions will enumerate SMS settings and then use the AWS SNS API call Publish to send out SMS messages with their phishing links. Mitigation Determine if the API calls should have been made by the user. If the user is unaware of the calls made, investigate further for any malicious activities. MITRE Tactic: TA0007 MITRE Technique: T1526
Building Block - SNS Topic Was Published
This alert triggers when the Amazon Simple Notification Service (SNS) API call Publish is used to send out SMS messages. Impact Threat actors can use Publish SNS API call to send out SMS messages with their phishing links. Mitigation Determine if the API call should have been made by the user. If the user is unaware of the call made, investigate further for any malicious activities. MITRE Tactic: TA0001 MITRE Technique: T1566
Flow Alert - Possible Smishing Observed
This flow alert triggers when after enumerating SMS settings with the SNS API calls an attempt is made to send out the SMS messages with a phishing link. Impact Attackers with the correct permissions will enumerate SMS settings with GetSMSAttributes or GetSMSSandboxAccountStatus and then use the AWS SNS API call Publish to send out SMS messages with their phishing links. Several publicly available threat actor toolsets abuse services like Amazon SNS, attackers will then advertise on platforms like Telegram for individuals or groups interested in SMS spam or smishing. Mitigation Determine if the API calls should have been made by the user. If the user is unaware of the calls made, investigate further for any malicious activities. MITRE Tactic: TA0001 MITRE Technique: T1566
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon SNS in our documentation.