Search code examples
amazon-web-servicessmsamazon-snspolicy

AWS Role Policy for different SMS numbers


I need some help with setting up role policy for sms in aws.

Basically I am writing lambda function to send sms, but sending to which number depend on the date.

For example: I have 2 numbers now.

const myMobile = 333;
const partnerMobile = 444;

I will do a logic in lambda to see under what condition sms will be send to myMobile or partnerMobile.

I know I can create a new IAM user with access and secret key, which would work, but since it's AWS Lambda it seems like a bit too much since there are roles and permissions can be used for AWS products to access each other without creating extra keys.

I tried using topic and subscription but if using a topic then the policy would look like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:us-west-2:##73038361###:SMS-Some-topic"
        }
    ]
}

But this wouldn't work though, because it'll publish too all numbers under the topic which means both myMobile and parterMobile will get the number but I only want one of them to get it when logic matches.

I know by doing this below would work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "*"
        }
    ]
}

But feels like a bit too much for using a wildcard? So wondering if there's any other options without using a wildcard. If there's no other options then I can stick with wildcard but again wonder if there's alternatives.

Thanks everyone in advance for any suggestions / advices.


Solution

  • If you want to be selective as to which SNS Topic subscriber receives a message, you can use Amazon SNS message filtering - Amazon Simple Notification Service:

    By default, an Amazon SNS topic subscriber receives every message that's published to the topic. To receive only a subset of the messages, a subscriber must assign a filter policy to the topic subscription.

    A filter policy is a JSON object containing properties that define which messages the subscriber receives. Amazon SNS supports policies that act on the message attributes or on the message body, according to the filter policy scope that you set for the subscription. Filter policies for the message body assume that the message payload is a well-formed JSON object.

    If a subscription doesn't have a filter policy, the subscriber receives every message published to its topic. When you publish a message to a topic with a filter policy in place, Amazon SNS compares the message attributes or the message body to the properties in the filter policy for each of the topic's subscriptions. If any of the message attributes or message body properties match, Amazon SNS sends the message to the subscriber. Otherwise, Amazon SNS doesn't send the message to that subscriber.

    If your AWS Lambda function is sending a message to the SNS Topic, and the two SMS recipients are subscribed to that topic, you can add an SNS filter policy that determines which subscriber will receive the message. This could be done on the content of the message, or your Lambda function could add a message attribute when sending the message to the SNS Topic and this attribute could be used in the filter policy to determine who should receive the message.

    If you are always sending to only one recipient, the Lambda function could instead just call publish() with a phone number without needing to reference an SNS Topic. This will send the message to just that recipient without having to use any subscriber filter policies.

    See: Publishing to a mobile phone - Amazon Simple Notification Service