Menu
I have a scenario whereby I want to create an SNS topic but apply resource policy such that only certain endpoints are allowed to subscribe to it. e.g
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::555555555:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:eu-west-1:555555555:hafiz-test"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::555555554:root"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-1:555555555:hafiz-test",
"Condition": {
"StringLike": {
"SNS:Endpoint": "arn:aws:sqs:eu-west-1:555555554:hafiz-test"
}
}
}
]
}
This scenario works perfectly in a scenario where the SQS subscribing to the SNS topic is across another account so unless I list the SQS arn "SNS:Endpoint": "arn:aws:sqs:eu-west-1:555555554:hafiz-test" in the condition subscription fails with permissions.
I want to achieve the same thing for any SQS queues that are in the SNS owner account. At the moment any SQS resource in the same account as SNS can subscribe to the SNS topic
Thanks much appreciated.
408
This is a bit old question, but since I figured out the answer, I am still going to post it.
If there is a resource-based policy and identity-based policy that are to be considered in the decision wheter to allow or deny certain action, it is sufficient, that at least one Allow (either in identity-based policy or resource-based policy) is present, see: https://hina-notebook.medium.com/aws-iam-policy-evaluation-logic-ultra-simplified-2620378d9041, and also https://towardsaws.com/aws-iam-part-2-identity-based-and-resource-based-policy-225cf96cf9e2 for explanation, what identity-based policy and resource-based policy is.
In the example above, there is an Allow for SNS:Subscribe but only when SNS:Endpoint is equal to arn:aws:sqs:eu-west-1:555555554:hafiz-test. On first sight, regardless of who makes a SNS:Subscribe request, only this queue should be allowed. However, if the request is made by a Principal, who has an explicit Allow in his identity-based policy for "SNS:Subscribe" without any conditions, the mentioned Principal may still perform SNS:Subscribe, as there is no explicit Deny for this Principal and this Action. The topic has probably been created by root account which has such identity-policy attached allowing him creating such subscriptions.
Subscribing from different accounts does not succeed, as the users from other accounts do not have Allow entries in their policies letting them subscribe to topics in your account.
To acheive exactly what you want to acheive you have to use following Statement (note explicit Deny which will get evaluated first resulting in a Deny decision), so explicit Allow present for topic owner will not get evaluated anymore):
{
"Sid": "__console_sub_0",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:eu-west-1:555555555:hafiz-test",
"Condition": {
"ArnNotLike": {
"SNS:Endpoint": "arn:aws:sqs:eu-west-1:555555554:hafiz-test"
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
