Hey everyone! I'm working on an app that's hosted on AWS, and I've realized that it currently has broader permissions than necessary. My app uses SNS just to send individual SMS messages to users, but it doesn't utilize any other SNS features, so it shouldn't have access to any SNS Topics.
I've been trying to craft an IAM policy specifically for this use, but it's turning out to be a bit complicated. The action needed to send an SMS is `SNS:Publish`, with the phone number as the resource. I've tried a few different approaches, but I keep hitting a wall. For instance, AWS doesn't allow the use of wildcards on Resources except for ARNs (I even attempted `"Resources": "+*"`), and using conditions on `sns:Protocol` doesn't seem to work as expected (I think that only applies to topics that use SMS).
So far, I've settled on this policy:
{
"Effect": "Allow",
"Action": "SNS:Publish",
"NotResource": "arn:aws:sns:*:*:*"
}
Is there a better way to craft this policy for my purpose?
3 Answers
You should definitely consider using a condition based on the protocol. Here’s an example of what that might look like:
{
"Statement": [{
"Effect": "Allow",
"Action": ["sns:Publish"],
"Resource": "*",
"Condition": {
"StringEquals": {
"sns:Protocol": "sms"
}
}
}]
}
I find that policy a bit too permissive. While you have the right action (`Publish`), you could narrow it down by specifying the particular Topic ARN instead of using a wildcard. Just be careful with what permissions you're opening up—might lead to unexpected behavior.
The issue is that I don't have any ARNs to use since I'm sending SMS directly to phone numbers.
You might want to be cautious with the `NotResource` because it can complicate what permissions you're actually granting. The `sns:Publish` action should only support topics listed in the resource block. If you don't specify a Topic ARN, it can allow for more than just SMS.
One option is to subscribe SMS numbers to a specific SNS Topic. Then, your app can publish messages to that Topic which only has SMS numbers as subscribers. That could help simplify your permissions as well! Here’s a link that might clarify the resources available: [AWS SNS Documentation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html)
Thanks for the insights! I hadn't thought about subscribing numbers to a topic—might just be the solution I need!
I’m not sure about that. I think `Protocol` isn't a valid condition for `sns:Publish`; it’s typically valid for subscribing instead.