Amazon_SNS_9
SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.
From Console:
1. Open the Amazon SNS console https://console.aws.amazon.com/sns/
2. In the left navigation pane, choose Topics.
3. Choose your Amazon SNS topic’s name.
4. Choose the Edit button.
5. Expand the Access policy – optional section.
6. Edit the access policy to grant the required permissions for your use case.(You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
7. In the policy When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
8. Choose Save Changes.
From CLI:
1. Create a json file with policy statement where, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
2. Use below CLI Command to update the policy.
aws sns set-topic-attributes –topic-arn TOPIC_ARN –attribute-name policy –attribute-value FILE://UPDATE_ATTRIBUTES.json
From CFT:
1. See below example, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
Resources:
SampleSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: ‘2012-10-17’
Id: __default_policy_ID
Statement:
– Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: “111122223333”
Action:
– SNS:GetTopicAttributes
Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
Condition:
StringEquals:
AWS:SourceOwner: ‘444455556666’
Topics:
– “arn:aws:sns:us-east-2:444455556666:MyTopic”
From TF:
1. See below example, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
resource “aws_sns_topic_policy” “default” {
arn = “arn:aws:sns:us-east-2:444455556666:MyTopic”
policy = data.aws_iam_policy_document.sns_topic_policy.json
}
data “aws_iam_policy_document” “sns_topic_policy” {
policy_id = “__default_policy_ID”
statement {
actions = [
“SNS:DeleteTopic”
]
condition {
test = “StringEquals”
variable = “AWS:SourceOwner”
values = [
444455556666,
]
}
effect = “Allow”
principals {
type = “AWS”
identifiers = [“111122223333”]
}
resources = [
arn:aws:sns:us-east-2:444455556666:MyTopic,
]
sid = “__default_statement_ID”
}
}
Reference:
1.https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
2.https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
3.https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy
4.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.
