SNS subscriptions should deny access via HTTP¶
Description¶
SNS subscriptions should not use HTTP as the delivery protocol. To enforce encryption in transit, any subscription to an HTTP endpoint should use HTTPS instead.
Remediation Steps¶
AWS Console¶
You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.
To create a new subscription using HTTPS:
Sign in to the Amazon SNS console.
On the navigation panel, choose Subscriptions.
On the Subscriptions page, choose Create subscription.
On the Create subscription page, do the following:
Enter the topic ARN.
For Protocol, choose HTTPS.
For Endpoint, enter an HTTPS web server.
To delete the HTTP subscription:
Sign in to the Amazon SNS console.
On the navigation panel, choose Subscriptions.
On the Subscriptions page, choose a confirmed subscription and then choose Delete.
In the Delete subscription dialog box, choose Delete.
AWS CLI¶
You cannot update an existing subscription to use HTTPS. You will need to create a new subscription using HTTPS and delete the existing subscription. Follow the instructions detailed here.
To create a new subscription using HTTPS:
aws sns subscribe \
--topic-arn <ARN> \
--protocol https \
--notification-endpoint <URL beginning with https://>
To delete the HTTP subscription:
aws sns unsubscribe --subscription-arn <ARN>
Terraform¶
Ensure that the aws_sns_topic_subscription
protocol
field is NOT set tohttp
.
Example Configuration¶
resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
protocol = "https"
# other required fields here
}