add examples for SNS topic policy

stelligent · Mar 19, 2018 · 0cad7c8 · 0cad7c8
1 parent 4dda162
commit 0cad7c8
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 4 deletions.
diff --git a/example-files/config/README.md b/example-files/config/README.md
@@ -17,6 +17,10 @@ Done:
 * S3BucketPolicyWildcardActionRule
 * S3BucketPolicyWildcardPrincipalRule
 
+* SnsTopicPolicyNotActionRule
+* SnsTopicPolicyNotPrincipalRule
+* SnsTopicPolicyWildcardPrincipalRule
+
 TODO
 * CloudFront resource !Metadata['AWS::CloudFront::Authentication'].nil?  How to specify in Terraform?
 
@@ -49,10 +53,6 @@ TODO
 * SecurityGroupIngressPortRangeRule
 * SecurityGroupMissingEgressRule
 
-* SnsTopicPolicyNotActionRule
-* SnsTopicPolicyNotPrincipalRule
-* SnsTopicPolicyWildcardPrincipalRule
-
 * SqsQueuePolicyNotActionRule
 * SqsQueuePolicyNotPrincipalRule
 * SqsQueuePolicyWildcardActionRule

diff --git a/example-files/config/sns.tf b/example-files/config/sns.tf
@@ -0,0 +1,40 @@
+resource "aws_sns_topic" "test" {
+  name = "my-topic-with-policy"
+}
+
+resource "aws_sns_topic_policy" "default" {
+  arn = "${aws_sns_topic.test.arn}"
+
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYSNSTOPICPOLICY",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "*"
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_sns_topic_policy" "sns_topic_policy_with_not" {
+  arn = "${aws_sns_topic.test.arn}"
+
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYSNSTOPICPOLICY",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "NotPrincipal": "*",
+      "NotAction": "*"
+    } 
+  ]
+}
+POLICY
+}
+
diff --git a/example-files/rules/terraform.yml b/example-files/rules/terraform.yml
@@ -254,3 +254,29 @@ Rules:
           key: policy.Statement[].Action
           op: contains
           value: "*"
+  - id: SNS_TOPIC_POLICY_WILDCARD_PRINCIPAL
+    message: Should not allow wildcard principal in SNS topic policy
+    resource: aws_sns_topic_policy
+    severity: WARNING
+    assertions:
+      - not:
+        - type: value
+          key: policy.Statement[].Principal
+          op: contains
+          value: "*"
+  - id: SNS_TOPIC_POLICY_NOT_ACTION
+    message: Should not include NotAction in SNS topic policy
+    resource: aws_sns_topic_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotAction
+        op: absent
+  - id: SNS_TOPIC_POLICY_NOT_PRINCIPAL
+    message: Should not include NotPrincipal in SNS topic policy
+    resource: aws_sns_topic_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotPrincipal
+        op: absent