SNS subscriptions should deny access via HTTP

Description

SNS subscriptions should not use HTTP as the delivery protocol. To enforce encryption in transit, any subscription to an HTTP endpoint should use HTTPS instead.

Remediation Steps

AWS Console

You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.

To create a new subscription using HTTPS:

• Sign in to the Amazon SNS console.

• On the navigation panel, choose Subscriptions.

• On the Subscriptions page, choose Create subscription.

• On the Create subscription page, do the following:

  • Enter the topic ARN.

  • For Protocol, choose HTTPS.

  • For Endpoint, enter an HTTPS web server.

• Confirm the subscription.

To delete the HTTP subscription:

• Sign in to the Amazon SNS console.

• On the navigation panel, choose Subscriptions.

• On the Subscriptions page, choose a confirmed subscription and then choose Delete.

• In the Delete subscription dialog box, choose Delete.

AWS CLI

You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.

To create a new subscription using HTTPS:

aws sns subscribe \
    --topic-arn <ARN> \
    --protocol https \
    --notification-endpoint <URL beginning with https://>

To delete the HTTP subscription:

• aws sns unsubscribe --subscription-arn <ARN>

Terraform

• Ensure that the aws_sns_topic_subscription protocol field is NOT set to http.

Example Configuration

resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
  protocol = "https"
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Subscribing an HTTP/S endpoint to a topic

• CLI: Using Amazon SNS with the AWS CLI

• CLI: subscribe

• CLI: unsubscribe

Terraform

• Resource: aws_sns_topic_subscription

  • Field: protocol