SNS subscriptions should deny access via HTTP

Description

SNS subscriptions should not use HTTP as the delivery protocol. To enforce encryption in transit, any subscription to an HTTP endpoint should use HTTPS instead.

Console Remediation Steps

You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.

To create a new subscription using HTTPS:

  • Sign in to the Amazon SNS console.

  • On the navigation panel, choose Subscriptions.

  • On the Subscriptions page, choose Create subscription.

  • On the Create subscription page, do the following:

    • Enter the topic ARN.

    • For Protocol, choose HTTPS.

    • For Endpoint, enter an HTTPS web server.

  • Confirm the subscription.

To delete the HTTP subscription:

  • Sign in to the Amazon SNS console.

  • On the navigation panel, choose Subscriptions.

  • On the Subscriptions page, choose a confirmed subscription and then choose Delete.

  • In the Delete subscription dialog box, choose Delete.

CLI Remediation Steps

You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.

To create a new subscription using HTTPS:

aws sns subscribe \
    --topic-arn <ARN> \
    --protocol https \
    --notification-endpoint <URL beginning with https://>

To delete the HTTP subscription:

  • aws sns unsubscribe --subscription-arn <ARN>