Amazon SNS API permissions: Actions and resources reference - Amazon Simple Notification Service
Policy quotasValid Amazon SNS policy actionsService-specific keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon SNS API permissions: Actions and resources reference

The following list grants information specific to the Amazon SNS implementation of access control:

  • Each policy must cover only a single topic (when writing a policy, don't include statements that cover different topics)

  • Each policy must have a unique policy Id

  • Each statement in a policy must have a unique statement sid

Policy quotas

The following table lists the maximum quotas for a policy statement.

Name Maximum quota

Bytes

30 kb

Statements

100

Principals

1 to 200 (0 is invalid.)

Resource

1 (0 is invalid. The value must match the ARN of the policy's topic.)

Valid Amazon SNS policy actions

Amazon SNS supports the actions shown in the following table.

Action Description
sns:AddPermission Grants permission to add permissions to the topic policy.
sns:DeleteTopic Grants permission to delete a topic.
sns:GetDataProtectionPolicy Grants permission to retrieve a topic's data protection policy.
sns:GetTopicAttributes Grants permission to receive all of the topic attributes.
sns:ListSubscriptionsByTopic Grants permission to retrieve all the subscriptions to a specific topic.
sns:ListTagsForResource Grants permission to list all tags added to a specific topic.
sns:Publish Grants permission to both publish and publish batch to a topic or endpoint. For more information, see Publish and PublishBatch in the Amazon Simple Notification Service API Reference.
sns:PutDataProtectionPolicy Grants permission to set a topic's data protection policy.
sns:RemovePermission Grants permission to remove any permissions in the topic policy.
sns:SetTopicAttributes Grants permission to set a topic's attributes.
sns:Subscribe Grants permission to subscribe to a topic.

Service-specific keys

Amazon SNS uses the following service-specific keys. You can use these in policies that restrict access to Subscribe requests.

  • sns:endpoint—The URL, email address, or ARN from a Subscribe request or a previously confirmed subscription. Use with string conditions (see Example policies for Amazon SNS) to restrict access to specific endpoints (for example, *@example.com).

  • sns:protocol—The protocol value from a Subscribe request or a previously confirmed subscription. Use with string conditions (see Example policies for Amazon SNS) to restrict publication to specific delivery protocols (for example, https).

Important

When you use a policy to control access by sns:Endpoint, be aware that DNS issues might affect the endpoint's name resolution in the future.