Example cases for Amazon SNS access control - Amazon Simple Notification Service

Grant Amazon Web Services account access to a topic Limit subscriptions to HTTPS Publish messages to an Amazon SQS queue Allow Amazon S3 event notifications to publish to a topic Allow Amazon SES to publish to a topic that is owned by another account aws:SourceAccount versus aws:SourceOwner Allow accounts in an organization in Amazon Organizations to publish to a topic in a different account Allow any CloudWatch alarm to publish to a topic in a different account Restrict publication to an Amazon SNS topic only from a specific VPC endpoint

This section describes a few examples of typical use cases for access control.

Topics

Grant Amazon Web Services account access to a topic
Limit subscriptions to HTTPS
Publish messages to an Amazon SQS queue
Allow Amazon S3 event notifications to publish to a topic
Allow Amazon SES to publish to a topic that is owned by another account
aws:SourceAccount versus aws:SourceOwner
Allow accounts in an organization in Amazon Organizations to publish to a topic in a different account
Allow any CloudWatch alarm to publish to a topic in a different account
Restrict publication to an Amazon SNS topic only from a specific VPC endpoint

Let's say you have a topic in the Amazon SNS system. In the simplest case, you want to allow one or more Amazon Web Services accounts access to a specific topic action (for example, Publish).

You can do this using the Amazon SNS API action AddPermission. It takes a topic, a list of Amazon Web Services account IDs, a list of actions, and a label, and automatically creates a new statement in the topic's access control policy. In this case, you don't write a policy yourself, because Amazon SNS automatically generates the new policy statement for you. You can remove the policy statement later by calling RemovePermission with its label.

For example, if you called AddPermission on the topic arn:aws-cn:sns:us-east-2:444455556666:MyTopic, with Amazon Web Services account ID 1111-2222-3333, the Publish action, and the label grant-1234-publish, Amazon SNS would generate and insert the following access control policy statement:


{
  "Statement": [{
    "Sid": "grant-1234-publish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "111122223333"
    },
    "Action": ["sns:Publish"],
    "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic"
  }]
}

Once this statement is added, the user with Amazon Web Services account 1111-2222-3333 can publish messages to the topic.

In the following example, you limit the notification delivery protocol to HTTPS.

You need to know how to write your own policy for the topic because the Amazon SNS AddPermission action doesn't let you specify a protocol restriction when granting someone access to your topic. In this case, you would write your own policy, and then use the SetTopicAttributes action to set the topic's Policy attribute to your new policy.

The following example of a full policy grants the Amazon Web Services account ID 1111-2222-3333 the ability to subscribe to notifications from a topic.


{
  "Statement": [{
    "Sid": "Statement1",
    "Effect": "Allow",
    "Principal": {
      "AWS": "111122223333"
    },
    "Action": ["sns:Subscribe"],
    "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic",
    "Condition": {
      "StringEquals": {
        "sns:Protocol": "https"
      }
    }
  }]
}

In this use case, you want to publish messages from your topic to your Amazon SQS queue. Like Amazon SNS, Amazon SQS uses Amazon's access control policy language. To allow Amazon SNS to send messages, you'll need to use the Amazon SQS action SetQueueAttributes to set a policy on the queue.

Again, you'll need to know how to write your own policy because the Amazon SQS AddPermission action doesn't create policy statements with conditions.

Note

The example presented below is an Amazon SQS policy (controlling access to your queue), not an Amazon SNS policy (controlling access to your topic). The actions are Amazon SQS actions, and the resource is the Amazon Resource Name (ARN) of the queue. You can determine the queue's ARN by retrieving the queue's QueueArn attribute with the GetQueueAttributes action.


{
  "Statement": [{
    "Sid": "Allow-SNS-SendMessage",
    "Effect": "Allow",
    "Principal": {
      "Service": "sns.amazonaws.com"
    },
    "Action": ["sqs:SendMessage"],
    "Resource": "arn:aws-cn:sqs:us-east-2:444455556666:MyQueue",
    "Condition": {
      "ArnEquals": {
        "aws:SourceArn": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic"
      }
    }
  }]
}

This policy uses the aws:SourceArn condition to restrict access to the queue based on the source of the message being sent to the queue. You can use this type of policy to allow Amazon SNS to send messages to your queue only if the messages are coming from one of your own topics. In this case, you specify a particular one of your topics, whose ARN is arn:aws-cn:sns:us-east-2:444455556666:MyTopic.

The preceding policy is an example of the Amazon SQS policy you could write and add to a specific queue. It would grant access to Amazon SNS and other Amazon services. Amazon SNS grants a default policy to all newly created topics. The default policy grants access to your topic to all other Amazon services. This default policy uses an aws:SourceArn condition to ensure that Amazon services access your topic only on behalf of Amazon resources you own.

In this case, you want to configure a topic's policy so that another Amazon Web Services account's Amazon S3 bucket can publish to your topic. For more information about publishing notifications from Amazon S3, go to Setting Up Notifications of Bucket Events.

This example assumes that you write your own policy and then use the SetTopicAttributes action to set the topic's Policy attribute to your new policy.

The following example statement uses the SourceAccount condition to ensure that only the Amazon S3 owner account can access the topic. In this example, the topic owner is 111122223333 and the Amazon S3 owner is 444455556666. The example states that any Amazon S3 bucket owned by 444455556666 is allowed to publish to MyTopic.


{
  "Statement": [{
    "Effect": "Allow",
     "Principal": { 
      "Service": "s3.amazonaws.com" 
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws-cn:sns:us-east-2:111122223333:MyTopic",
    "Condition": {
      "StringEquals": {
        "AWS:SourceAccount": "444455556666"
      }       
    }
  }]
}

When publishing events to Amazon SNS, the following services support aws:SourceAccount:

Amazon API Gateway
Amazon CloudWatch
Amazon DevOps Guru
Amazon DynamoDB
Amazon ElastiCache
Amazon GameLift
Amazon Pinpoint SMS and Voice API
Amazon RDS
Amazon Redshift
Amazon S3 Glacier
Amazon SES
Amazon Simple Storage Service
Amazon CodeCommit
Amazon Directory Service
Amazon Lambda
Amazon Systems Manager Incident Manager

You can allow another Amazon service to publish to a topic that is owned by another Amazon Web Services account. Suppose that you signed into the 111122223333 account, opened Amazon SES, and created an email. To publish notifications about this email to a Amazon SNS topic that the 444455556666 account owns, you'd create a policy like the following. To do so, you need to provide information about the principal (the other service) and each resource's ownership. The Resource statement provides the topic ARN, which includes the account ID of the topic owner, 444455556666. The "aws:SourceOwner": "111122223333" statement specifies that your account owns the email.


{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic",
      "Condition": {
        "StringEquals": {
          "aws:SourceOwner": "111122223333"
        }
      }
    }
  ]
}

When publishing events to Amazon SNS, the following services support aws:SourceOwner:

Amazon API Gateway
Amazon CloudWatch
Amazon DevOps Guru
Amazon DynamoDB
Amazon ElastiCache
Amazon GameLift
Amazon Pinpoint SMS and Voice API
Amazon RDS
Amazon Redshift
Amazon SES
Amazon CodeCommit
Amazon Directory Service
Amazon Lambda
Amazon Systems Manager Incident Manager

`aws:SourceAccount` versus `aws:SourceOwner`

Important

aws:SourceOwner is deprecated and new services can integrate with Amazon SNS only through aws:SourceArn and aws:SourceAccount. Amazon SNS still maintains backward compatibility for existing services that are currently supporting aws:SourceOwner.

The aws:SourceAccount and aws:SourceOwner condition keys are each set by some Amazon Web Services when they publish to an Amazon SNS topic. When supported, the value will be the 12-digit Amazon account ID on whose behalf the service is publishing data. Some services support one, and some support the other.

See Allow Amazon S3 event notifications to publish to a topic for how Amazon S3 notifications use aws:SourceAccount and a list of Amazon services that support that condition.
See Allow Amazon SES to publish to a topic that is owned by another account for how Amazon SES uses aws:SourceOwner and a list of Amazon services that support that condition.

The Amazon Organizations service helps you to centrally manage billing, control access and security, and share resources across your Amazon Web Services accounts.

You can find your organization ID in the Organizations console. For more information, see Viewing details of an organization from the management account.

In this example, any Amazon Web Services account in organization myOrgId can publish to Amazon SNS topic MyTopic in account 444455556666. The policy checks the organization ID value using the aws:PrincipalOrgID global condition key.


{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Publish",
            "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "myOrgId"
                }
            }
        }
    ]
}

In this case, any CloudWatch alarms in account 111122223333 are allowed to publish to an Amazon SNS topic in account 444455556666.


{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Publish",
            "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws-cn:cloudwatch:us-east-2:111122223333:alarm:*"
                }
            }
        }
    ]
}

In this case, the topic in account 444455556666 is allowed to publish only from the VPC endpoint with the ID vpce-1ab2c34d.


{
  "Statement": [{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "SNS:Publish",
    "Resource": "arn:aws-cn:sns:us-east-2:444455556666:MyTopic",
    "Condition": {
      "StringNotEquals": {
        "aws:sourceVpce": "vpce-1ab2c34d"
      }
    }
  }]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Evaluation logic

How Amazon Simple Notification Service works with IAM