Creating an Amazon VPC endpoint policy for Amazon SNS
You can create a policy for Amazon VPC endpoints for Amazon SNS in which you specify the following:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.
The following example VPC endpoint policy specifies that the IAM user MyUser
is allowed to publish to the Amazon SNS topic MyTopic
.
{ "Statement": [{ "Action": ["sns:Publish"], "Effect": "Allow", "Resource": "arn:aws-cn:sns:us-east-2:123456789012:MyTopic", "Principal": { "AWS": "arn:aws-cn:iam:123456789012:user/MyUser" } }] }
The following are denied:
-
Other Amazon SNS API actions, such as
sns:Subscribe
andsns:Unsubscribe
. -
Other IAM users and rules which attempt to use this VPC endpoint.
-
MyUser
publishing to a different Amazon SNS topic.
Note
The IAM user can still use other Amazon SNS API actions from outside the VPC.