AWS SNS Subscription Is Not Configured With HTTPS

This policy identifies SNS subscriptions using HTTP instead of HTTPS as the delivery protocol in order to enforce SSL encryption for all subscription requests. It is strongly recommended use only HTTPS-based subscriptions by implementing secure SNS topic policies.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
CloudFormation

Build Rules

AWS SNS subscription is not configured with HTTPS.
JSON Query:
$.Resources.*[?(@.Type == 'AWS::SNS::Subscription')].Properties.Protocol any equal http
Recommendation:
Recommended solution for configuring SNS subscription with HTTPS.
It is recommended that SNS subscription is configured with HTTPS. Please make sure that "Protocol" value is set to "https".
For example:
"SCMSubscription": { "Type": "AWS::SNS::Subscription", "Properties": { "TopicArn": { "Ref": "CarSalesTopic" }, "Endpoint": { "Ref": "myHttpEndpoint" }, "Protocol": "https" } }

Run Rule Recommendation

SNS subscriptions protocol cannot be changed once it is created; To resolve this alert, create a new subscription with protocol HTTPS, migrate required data from reported SNS subscription to new SNS subscription and delete the reported SNS subscription.
To create a new SNS subscription:.
  1. Sign in to the AWS console.
  2. Select the region, from the region drop-down, in which the alert is generated.
  3. Navigate to SNS Dashboard.
  4. Click on the 'Subscriptions' (Left panel).
  5. Click on 'Create subscription' button.
  6. On 'Create subscription' page, Choose 'HTTPS' from 'Protocol' dropdown list and choose other parameters as per your requirement.
  7. Click on 'Create subscription'.
    To delete reported SNS subscription:
  8. Sign into the AWS console.
  9. Select the region, from the region drop-down, in which the alert is generated.
  10. Navigate to SNS Dashboard.
  11. Click on the 'Subscriptions' (Left panel).
  12. Click on the reported SNS subscription.
  13. Click on 'Delete' button.

Compliance

There are 2 standards that are applicable to this policy:
  • PIPEDA
  • CCPA 2018

Recommended For You