Skip to content
Threat Feed
low advisory

AWS SNS Rare Protocol Subscription by User

A user subscribing to an SNS topic using a new protocol may indicate data exfiltration or unauthorized access by an adversary aiming to collect sensitive information or exfiltrate data.

This detection identifies when a user subscribes to an Amazon Simple Notification Service (SNS) topic using a protocol type that is new for that user. SNS allows subscriptions via various protocols, including email, SMS, Lambda functions, and HTTP endpoints. An adversary might exploit this feature to collect sensitive information or exfiltrate data by subscribing with an external email address, a cross-account AWS service, or other means. This "new terms" rule specifically triggers when a previously unseen protocol is used for a subscription by a given user, helping to surface potentially malicious or anomalous activity within an AWS environment.

Attack Chain

  1. An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.
  2. The attacker identifies an SNS topic containing sensitive data or acting as a conduit for valuable information.
  3. The attacker uses the AWS CLI or API to subscribe to the targeted SNS topic.
  4. The attacker selects a rare or unusual protocol for the subscription, such as an external email address, an HTTP endpoint on a rogue server, or a Lambda function under their control.
  5. The attacker configures the subscription to forward messages from the SNS topic to the chosen endpoint.
  6. When messages are published to the SNS topic, they are automatically delivered to the attacker-controlled endpoint.
  7. The attacker receives the exfiltrated data via the chosen protocol.
  8. The attacker covers their tracks by deleting CloudTrail logs or creating new subscriptions and deleting the original.

Impact

A successful attack can lead to the exfiltration of sensitive data, unauthorized access to internal systems, or resource hijacking within the AWS environment. The severity depends on the sensitivity of the data transmitted through the SNS topic and the permissions associated with the compromised AWS account. This could result in financial loss, reputational damage, or legal repercussions.

Recommendation

  • Deploy the "AWS SNS Rare Protocol Subscription by User" rule to your SIEM and tune the history_window_start to reduce false positives based on your environment.
  • Investigate any alerts generated by the "AWS SNS Rare Protocol Subscription by User" rule, focusing on the aws.cloudtrail.user_identity.arn and aws.cloudtrail.request_parameters fields to determine the actor and the protocol used.
  • Review IAM policies associated with users who trigger this alert to ensure the principle of least privilege.
  • Monitor CloudTrail logs for subsequent Publish actions on the same SNS topic to detect potential data exfiltration attempts.
  • Configure alerts for any unauthorized modifications to SNS topic policies or subscriptions.

Detection coverage 2

AWS SNS New Email Protocol Subscription by User

low

Detects when a user subscribes to an SNS topic using the email protocol for the first time.

sigma tactics: exfiltration techniques: T1567 sources: cloudtrail, aws

AWS SNS New Lambda Protocol Subscription by User

low

Detects when a user subscribes to an SNS topic using the lambda protocol for the first time.

sigma tactics: exfiltration techniques: T1567 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →