Creating an Amazon VPC endpoint policy for Amazon SNS - Amazon Simple Notification Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an Amazon VPC endpoint policy for Amazon SNS

You can create a policy for Amazon VPC endpoints for Amazon SNS in which you specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

The following example VPC endpoint policy specifies that the IAM user MyUser is allowed to publish to the Amazon SNS topic MyTopic.

{ "Statement": [{ "Action": ["sns:Publish"], "Effect": "Allow", "Resource": "arn:aws-cn:sns:us-east-2:123456789012:MyTopic", "Principal": { "AWS": "arn:aws-cn:iam:123456789012:user/MyUser" } }] }

The following are denied:

  • Other Amazon SNS API actions, such as sns:Subscribe and sns:Unsubscribe.

  • Other IAM users and rules which attempt to use this VPC endpoint.

  • MyUser publishing to a different Amazon SNS topic.


The IAM user can still use other Amazon SNS API actions from outside the VPC.