Is it possible to limit sns:Subscribe in the SNS topic's access policy to a specific SQS queue ARN for cross-account subscriptions?

0

Hi,

I know its possible to limit sns:Subscribe to a specific IAM role for cross-account subscriptions to an SNS topic in the topic's access policy, but I'm wondering if its possible to do the same for an SQS queue that subscribes to the SNS topic because the SQS queue is not able to assume a role.

Below you can see our SNS topic's access policy that limits based on AWS account:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "Allow-TitleStatusEvents-To-Subscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1111111111:root"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:us-west-2:nnnnn"
    },
  // ...
}

Any ideas?

Thanks!

asked a year ago413 views
1 Answer
0

Hello.

An access policy is a policy for allowing access, so if you are going to set it, I think you need to use an SQS access policy instead of an SNS access policy.
I think the SQS access policy described in the following document is easy to understand.
The following SQS access policy is for SQS "arn:aws:sqs:us-east-2:444455556666:MyQueue" only from SNS topic "arn:aws:sns:us-east-2:444455556666:MyTopic" Access is allowed.
https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html#sns-publish-messages-to-sqs-queue

{
  "Statement": [{
    "Sid": "Allow-SNS-SendMessage",
    "Effect": "Allow",
    "Principal": {
      "Service": "sns.amazonaws.com"
    },
    "Action": ["sqs:SendMessage"],
    "Resource": "arn:aws:sqs:us-east-2:444455556666:MyQueue",
    "Condition": {
      "ArnEquals": {
        "aws:SourceArn": "arn:aws:sns:us-east-2:444455556666:MyTopic"
      }
    }
  }]
}
profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions