Is it possible to limit sns:Subscribe in the SNS topic's access policy to a specific SQS queue ARN for cross-account subscriptions?

Question

Hi,

I know its possible to limit sns:Subscribe to a specific IAM role for cross-account subscriptions to an SNS topic in the topic's access policy, but I'm wondering if its possible to do the same for an SQS queue that subscribes to the SNS topic because the SQS queue is not able to assume a role.

Below you can see our SNS topic's access policy that limits based on AWS account:

```
{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "Allow-TitleStatusEvents-To-Subscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1111111111:root"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:us-west-2:nnnnn"
    },
  // ...
}
```

Any ideas?

Thanks!

Answer

Hello.

An access policy is a policy for allowing access, so if you are going to set it, I think you need to use an SQS access policy instead of an SNS access policy.  
I think the SQS access policy described in the following document is easy to understand.  
The following SQS access policy is for SQS "arn:aws:sqs:us-east-2:444455556666:MyQueue" only from SNS topic "arn:aws:sns:us-east-2:444455556666:MyTopic" Access is allowed.  
https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html#sns-publish-messages-to-sqs-queue  
```
{
  "Statement": [{
    "Sid": "Allow-SNS-SendMessage",
    "Effect": "Allow",
    "Principal": {
      "Service": "sns.amazonaws.com"
    },
    "Action": ["sqs:SendMessage"],
    "Resource": "arn:aws:sqs:us-east-2:444455556666:MyQueue",
    "Condition": {
      "ArnEquals": {
        "aws:SourceArn": "arn:aws:sns:us-east-2:444455556666:MyTopic"
      }
    }
  }]
}
```

Is it possible to limit sns:Subscribe in the SNS topic's access policy to a specific SQS queue ARN for cross-account subscriptions?

Relevant content