Ensure There Are No SNS Subscriptions Using HTTP Endpoints

Overview

This check identifies Amazon SNS subscriptions that use unencrypted HTTP endpoints instead of secure HTTPS endpoints. When SNS delivers messages over HTTP, the data travels unencrypted across the network, making it vulnerable to interception.

Risk

Using HTTP endpoints for SNS subscriptions creates several security risks:

• Eavesdropping: Attackers on the network can intercept and read your message contents
• Man-in-the-middle attacks: Malicious actors can modify messages in transit without detection
• Data theft: Sensitive information in notifications could be captured and exploited
• Compliance violations: Many security frameworks require encryption of data in transit

When you use HTTPS instead, messages are automatically encrypted during transit, protecting your data even if the network is compromised.

Remediation Steps

Prerequisites

You need permission to manage SNS subscriptions in your AWS account. Specifically, you need the sns:ListSubscriptions, sns:Unsubscribe, and sns:Subscribe permissions.

AWS Console Method

1. Open the Amazon SNS console
2. In the left navigation, click Subscriptions
3. Look for subscriptions where the Protocol column shows http (not https)
4. For each HTTP subscription you find:
   • Note the Topic ARN and Endpoint URL
   • Select the subscription by clicking its checkbox
   • Click Delete and confirm
5. Create a new secure subscription:
   • Click Create subscription
   • For Topic ARN, select the same topic
   • For Protocol, choose HTTPS
   • For Endpoint, enter the HTTPS version of your endpoint URL (change http:// to https://)
   • Click Create subscription
6. If required, confirm the subscription from your endpoint (AWS sends a confirmation request)

Important: Before deleting the HTTP subscription, ensure your endpoint supports HTTPS. You may need to configure SSL/TLS certificates on your web server first.

AWS CLI (optional)

Step 1: Find HTTP Subscriptions

List all subscriptions and filter for HTTP protocol:

aws sns list-subscriptions \
    --region us-east-1 \
    --query "Subscriptions[?Protocol=='http']"

Step 2: Delete the HTTP Subscription

Once you have identified the subscription ARN, delete it:

aws sns unsubscribe \
    --subscription-arn arn:aws:sns:us-east-1:123456789012:my-topic:12345678-1234-1234-1234-123456789012 \
    --region us-east-1

Step 3: Create a New HTTPS Subscription

Create a replacement subscription using HTTPS:

aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:123456789012:my-topic \
    --protocol https \
    --notification-endpoint https://example.com/webhook \
    --region us-east-1

Step 4: Confirm the Subscription

For HTTPS endpoints, AWS sends a confirmation request to your endpoint. Your endpoint must handle the SubscriptionConfirmation message and call the ConfirmSubscription URL provided in the message.

Alternatively, if you have the confirmation token:

aws sns confirm-subscription \
    --topic-arn arn:aws:sns:us-east-1:123456789012:my-topic \
    --token <confirmation-token> \
    --region us-east-1

CloudFormation (optional)

Use this template to create an SNS topic with a secure HTTPS subscription:

AWSTemplateFormatVersion: '2010-09-09'
Description: SNS Topic with HTTPS Subscription (Compliant Configuration)

Parameters:
  TopicName:
    Type: String
    Description: Name of the SNS topic
    Default: my-secure-topic

  HttpsEndpoint:
    Type: String
    Description: HTTPS endpoint URL for the subscription
    Default: https://example.com/webhook

Resources:
  SecureSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Ref TopicName
      DisplayName: Secure SNS Topic

  HttpsSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      TopicArn: !Ref SecureSNSTopic
      Protocol: https
      Endpoint: !Ref HttpsEndpoint

Outputs:
  TopicArn:
    Description: ARN of the SNS topic
    Value: !Ref SecureSNSTopic

  SubscriptionArn:
    Description: ARN of the HTTPS subscription
    Value: !Ref HttpsSubscription

Deploy the template:

aws cloudformation deploy \
    --template-file sns-https-subscription.yaml \
    --stack-name sns-secure-subscription \
    --parameter-overrides \
        TopicName=my-secure-topic \
        HttpsEndpoint=https://example.com/webhook \
    --region us-east-1

Terraform (optional)

Use this Terraform configuration to create SNS subscriptions with secure protocols:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# SNS Topic
resource "aws_sns_topic" "secure_topic" {
  name         = "my-secure-topic"
  display_name = "Secure SNS Topic"
}

# HTTPS subscription (compliant)
resource "aws_sns_topic_subscription" "https_subscription" {
  topic_arn = aws_sns_topic.secure_topic.arn
  protocol  = "https"
  endpoint  = "https://example.com/webhook"
}

# Alternative: SQS subscription (compliant - uses internal AWS encryption)
resource "aws_sns_topic_subscription" "sqs_subscription" {
  topic_arn = aws_sns_topic.secure_topic.arn
  protocol  = "sqs"
  endpoint  = "arn:aws:sqs:us-east-1:123456789012:my-queue"
}

# Alternative: Lambda subscription (compliant - uses internal AWS encryption)
resource "aws_sns_topic_subscription" "lambda_subscription" {
  topic_arn = aws_sns_topic.secure_topic.arn
  protocol  = "lambda"
  endpoint  = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that no HTTP subscriptions remain:

1. Go to the SNS Subscriptions console
2. Check the Protocol column for all subscriptions
3. Confirm none show http (all should show https, sqs, lambda, email, or other secure protocols)

CLI Verification

Run the Prowler check to confirm compliance:

prowler aws --checks sns_subscription_not_using_http_endpoints --region us-east-1

Or use the AWS CLI to list any remaining HTTP subscriptions:

aws sns list-subscriptions \
    --region us-east-1 \
    --query "Subscriptions[?Protocol=='http']" \
    --output table

An empty result confirms all HTTP subscriptions have been remediated.

Additional Resources

• Amazon SNS Security Best Practices
• Amazon SNS Message Delivery
• Verifying Amazon SNS Message Signatures
• AWS SNS Subscription Resource (CloudFormation)

Notes

• Endpoint readiness: Before switching to HTTPS, ensure your endpoint has a valid SSL/TLS certificate. Self-signed certificates may cause subscription confirmation failures.
• Alternative protocols: Consider using SQS, Lambda, or other AWS-native protocols instead of HTTP/HTTPS endpoints. These use AWS internal encryption and avoid exposing endpoints to the public internet.
• Message signature verification: Regardless of protocol, always verify SNS message signatures in your application to prevent spoofed messages.
• Existing messages: Changing the subscription does not affect messages already delivered. Any messages sent over HTTP before remediation may have been exposed.