fix(sns): handle topic policy conditions (#2660)

2026-02-10 06:45:08 +00:00 · 2023-08-02 11:45:27 +02:00
parent 49c9d2b077
commit aced44f051
2 changed files with 15 additions and 9 deletions
--- a/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py
+++ b/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py
@@ -1,4 +1,7 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.lib.policy_condition_parser.policy_condition_parser import (
+    is_account_only_allowed_in_condition,
+)
 from prowler.providers.aws.services.sns.sns_client import sns_client


@@ -28,14 +31,16 @@ class sns_topics_not_publicly_accessible(Check):
                                and "*" in statement["Principal"]["CanonicalUser"]
                            )
                        ):
-                            if "Condition" not in statement:
-                                report.status = "FAIL"
-                                report.status_extended = (
-                                    f"SNS topic {topic.name} is publicly accesible"
+                            if (
+                                "Condition" in statement
+                                and is_account_only_allowed_in_condition(
+                                    statement["Condition"], sns_client.audited_account
                                )
+                            ):
+                                report.status_extended = f"SNS topic {topic.name} is not public because its policy only allows access from the same account"
                            else:
-                                report.status = "PASS"
-                                report.status_extended = f"SNS topic {topic.name} is publicly accesible but has a Condition that could filter it"
+                                report.status = "FAIL"
+                                report.status_extended = f"SNS topic {topic.name} is public because its policy allows public access"

            findings.append(report)

--- a/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py
+++ b/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py
@@ -27,7 +27,7 @@ test_policy_restricted_condition = {
            "Principal": {"AWS": "*"},
            "Action": ["sns:Publish"],
            "Resource": f"arn:aws:sns:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:{topic_name}",
-            "Condition": {"StringEquals": {"sns:Protocol": "https"}},
+            "Condition": {"StringEquals": {"aws:SourceAccount": AWS_ACCOUNT_NUMBER}},
        }
    ]
 }
@@ -121,6 +121,7 @@ class Test_sns_topics_not_publicly_accessible:

    def test_topic_public_with_condition(self):
        sns_client = mock.MagicMock
+        sns_client.audited_account = AWS_ACCOUNT_NUMBER
        sns_client.topics = []
        sns_client.topics.append(
            Topic(
@@ -144,7 +145,7 @@ class Test_sns_topics_not_publicly_accessible:
            assert result[0].status == "PASS"
            assert (
                result[0].status_extended
-                == f"SNS topic {topic_name} is publicly accesible but has a Condition that could filter it"
+                == f"SNS topic {topic_name} is not public because its policy only allows access from the same account"
            )
            assert result[0].resource_id == topic_name
            assert result[0].resource_arn == topic_arn
@@ -176,7 +177,7 @@ class Test_sns_topics_not_publicly_accessible:
            assert result[0].status == "FAIL"
            assert (
                result[0].status_extended
-                == f"SNS topic {topic_name} is publicly accesible"
+                == f"SNS topic {topic_name} is public because its policy allows public access"
            )
            assert result[0].resource_id == topic_name
            assert result[0].resource_arn == topic_arn