Exposure Scanner Scan My Account
Exposure Scanner / Amazon SNS

SNS Topic Exposure

Can external parties publish to or subscribe to your SNS topics?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-order-notifications
SNS topic policy allows sns:Publish from Principal: "*" - anyone can inject messages
High
alert-escalation-topic
SNS topic has subscription from unknown external AWS account 987654321012
Medium
system-events-topic
SNS topic does not have server-side encryption enabled

What does Amazon SNS public exposure mean?

SNS topic policies can allow any AWS account or principal to publish messages or create subscriptions. This means external actors could inject messages into your notification pipeline or subscribe to receive your notifications.

Why it matters

SNS topics often trigger Lambda functions, SQS queues, and email notifications. External publishing can trigger unauthorized actions, while external subscriptions can leak sensitive notification content.

How to check manually

  1. 1Review SNS topic access policies for Principal: "*"
  2. 2Check subscription lists for unexpected endpoints
  3. 3Verify topic encryption is enabled for sensitive data
  4. 4Review CloudTrail for unauthorized publish or subscribe actions

Quick check with AWS CLI

List SNS topics and check their access policies
aws sns list-topics --query "Topics[].TopicArn" --output text | xargs -I {} aws sns get-topic-attributes --topic-arn {} --query "Attributes.Policy"
Check subscriptions for a specific topic
aws sns list-subscriptions-by-topic --topic-arn YOUR_TOPIC_ARN --query "Subscriptions[].{Protocol:Protocol,Endpoint:Endpoint,Owner:Owner}"
Find topics without server-side encryption
aws sns list-topics --query "Topics[].TopicArn" --output text | xargs -I {} sh -c 'echo "Topic: {}"; aws sns get-topic-attributes --topic-arn {} --query "Attributes.KmsMasterKeyId"'

Common misconfigurations

Topic policy allowing any principal to publish
Subscriptions from unknown external accounts
Topics without server-side encryption
No delivery status logging configured

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon SQS
Can external parties send messages to or read from your SQS queues?
AWS Lambda
Are your Lambda functions invocable from outside your account?
AWS IAM
Are your IAM policies granting access more broadly than intended?