amazon-web-servicesaws-cloudformationamazon-sns
AWS SNS Topic Policy Cloudformation
Trying to create an SNS topic using cloud formation script. It all works fine, except the topic policy.
This is what we get by default,
I want to update the policy as below using cloud formation script.
Any suggestions on how to achieve this?
Solution
As was pointed out in one of the comments, you don't want to use AWS:* as a principal since it grants anyone with an AWS account access.
To create a SNS topic, and restrict access to certain services, or anyone in the account, use the following example.
The "AllowServices" SID show how to add multiple services, while the AllowAWS allows anything in the account to access it.
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
Email:
Type: String
Default: <your name here>
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
TopicName: TestTopic
Subscription:
- Endpoint: !Ref Email
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: AllowServices
Effect: Allow
Principal:
Service:
- events.amazonaws.com
- cloudwatch.amazonaws.com
Action: 'sns:Publish'
Resource:
- !Ref Topic
- Sid: AllowAWS
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: 'sns:Publish'
Resource:
- !Ref Topic
Topics:
- !Ref Topic