I have a CloudFormation template. The problem area is the very last Resource statement, but I can not figure out why.
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation Template for Amazon Cognito
Resources:
DummyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
IdentityPoolName: Dummy
DummyUserPool:
Type: AWS::Cognito::UserPool
Properties:
DeletionProtection: 'ACTIVE'
EnabledMfas:
- 'SMS_MFA' #SMS_MFA can only be enabled if SMS configuration is provided.
MfaConfiguration: 'ON'
SmsConfiguration:
ExternalId: Test
SnsCallerArn: !GetAtt SnsSmsCallerRole.Arn
SnsRegion: !Ref AWS::Region
SnsSmsCallerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cognito-idp.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: CognitoSNSPublish
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:Publish
Resource:
- Fn::Sub: arn:aws:sns:*:*:*
The template deploys when I make the Resource under the 'CognitoSNSPublish' policy a wildcard, like Resource: *
, and it works, it deploys.
Here's the problem, when I change the Resource to be specific, like Resource: arn:aws:sns:*:*:*
, or Resource: arn:aws:sns:sns:*:*
, or Resource: arn:aws:sns:<my-region>:*:*
, or Resource: arn:aws:sns:<my-region>:<my-account-id>:*
, it fails with the following error:
Resource handler returned message: "Role does not have permission to publish with SNS (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 338a4-9de1-47f0536218f0)" (RequestToken: 101a93b5-q0lo-5e4c-810d-lol22j2nsa2, HandlerErrorCode: InvalidRequest)
sns:Publish
action works only with sns
. It can't be used with any other service. Thus Resource: *
will effectively limit your action to sns
only.