Search code examples
amazon-web-servicesaws-lambdaamazon-iamamazon-sns

Why do some AWS services require the requestor to have IAM policies?


Like connecting Lambda to SNS, for example.

I tried setting up a SNS TopicPolicy that allows publishing to SNS from my VPC cidr group. This didn't work and required me to make a SNS Publish action role and attach that to the Lambda instead.

I would have guessed that the action denial was on the service, and not the requestor, but that doesn't seem to be the case.


Solution

  • It looks like this behavior just depends on the service.

    In the case of SNS, the default permission is to allow access to the topic from all services in your account: Example cases for Amazon SNS access control. I agree with you that this important point should be a bit more obviously stated..

    Amazon SNS grants a default policy to all newly created topics. The default policy grants access to your topic to all other AWS services. This default policy uses an aws:SourceArn condition to ensure that AWS services access your topic only on behalf of AWS resources you own.

    Here's what the default policy looks like if you're curious. Notice that the Principal is *.

    {
      "Version": "2008-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__default_statement_ID",
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          },
          "Action": [
            "SNS:Publish",
            "SNS:RemovePermission",
            "SNS:SetTopicAttributes",
            "SNS:DeleteTopic",
            "SNS:ListSubscriptionsByTopic",
            "SNS:GetTopicAttributes",
            "SNS:AddPermission",
            "SNS:Subscribe"
          ],
          "Resource": "arn:aws:sns:XXX:XXXX:testTopic",
          "Condition": {
            "StringEquals": {
              "AWS:SourceOwner": "XXXX"
            }
          }
        }
      ]
    }
    

    With Lambda, however, you need to explicitly grant access permissions when working with other services.