Menu
Trying to create an SNS topic using cloud formation script. It all works fine, except the topic policy.
This is what we get by default,
I want to update the policy as below using cloud formation script.
Any suggestions on how to achieve this?
380
Ensures SNS topics do not allow global send or subscribe. SNS policies should not be configured to allow any AWS user to subscribe or send messages. This could result in data leakage or financial DDoS.
In your CloudFormation template, if you simply reference your SNS topic, then you'll get the ARN. So you can use that as input to your nested CloudFormation template.
As was pointed out in one of the comments, you don't want to use AWS:* as a principal since it grants anyone with an AWS account access.
To create a SNS topic, and restrict access to certain services, or anyone in the account, use the following example.
The "AllowServices" SID show how to add multiple services, while the AllowAWS allows anything in the account to access it.
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
Email:
Type: String
Default: <your name here>
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
TopicName: TestTopic
Subscription:
- Endpoint: !Ref Email
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: AllowServices
Effect: Allow
Principal:
Service:
- events.amazonaws.com
- cloudwatch.amazonaws.com
Action: 'sns:Publish'
Resource:
- !Ref Topic
- Sid: AllowAWS
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: 'sns:Publish'
Resource:
- !Ref Topic
Topics:
- !Ref Topic
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
