nccgroup
AWS SNS finding "Receive Authorized for All Principals"
ScoutSuite 5.11.0 contains a six of checks for SNS Topics that have resources policies permitting access to all AWS principals. Five of the checks correspond to SNS API actions that apply to individual topics and can be called cross-account: AddPermission, DeleteTopic, Publish, RemovePermission, and SetTopicAttributes. However, the sixth, "Receive Authorized to All Principals", makes no sense: there is no "Receive" API action for SNS.
I created an SNS Topic with a resources policy that permitted all principals ("Principal": {"AWS":""}) to call all SNS API actions ("Action":"sns:") and while the first five rules failed (as expected), the "Receive" rule did not.
In addition to the five listed above, SNS allows access to three read operations to be controlled by resource policies: GetTopicAttributes, ListSubscriptionsByTopic, and Subscribe. I suggest that the "Receive Authorized for All Principals" finding be replaced with three new findings for GetTopicAttributes, ListSubscriptionsByTopic, and Subscribe.
