禁止在 sns:ListTopics 上使用通配符资源

Question

My team has an account with full permission on SNS as long as we act on resources based on a certain prefix

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "sns:CreateTopic",
          // ...
          "sns:ListTopics",
          // ...
      ],
      "Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
    },

We can do most operations just fine, at least the ones we most need, but if we try to list the topics we get a forbidden error

SNS: ListTopics, AuthorizationError: User xxx is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:{redacted}:*

We are using the new go SDK v2, and we cannot find a way to query only for our topics, is there a way to list them or do we need list permissions on all the account topics?

Answer 1

sns:ListTopics does not have a resource filter per ( https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html ) its an all or nothing operation.
Except from amazon docs: if you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access. link

Typically, this is what the IAM document should look like if you want to be able to list.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "sns:CreateTopic"
      ],
      "Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
    },
    {
      "Effect": "Allow",
      "Action": [
          "sns:ListTopics",
      ],
      "Resource": "*"
    },
...

If separation at the granular level is really that big of a concern, separate AWS accounts should be used.