stackoom
  简体   繁体   中英

AWS SNS Topic Policy Cloudformation

 原文  2017-07-10 19:01:03       amazon-web-services/ amazon-cloudformation/ amazon-sns

Question

Trying to create an SNS topic using cloud formation script. It all works fine, except the topic policy.

This is what we get by default,

在此处输入图像描述

I want to update the policy as below using cloud formation script.

在此处输入图像描述 Any suggestions on how to achieve this?

3 answers

solution1
 8 ACCPTED  2021-03-01 19:03:42

As was pointed out in one of the comments, you don't want to use AWS:* as a principal since it grants anyone with an AWS account access.

To create a SNS topic, and restrict access to certain services, or anyone in the account, use the following example.

The "AllowServices" SID show how to add multiple services, while the AllowAWS allows anything in the account to access it. 

---
AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  Email:
    Type: String
    Default: <your name here>

Resources:
  Topic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: TestTopic
      Subscription:
      - Endpoint: !Ref Email
        Protocol: email

  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Statement:
          - Sid: AllowServices
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
                - cloudwatch.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              - !Ref Topic
          - Sid: AllowAWS
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: 'sns:Publish'
            Resource:
              - !Ref Topic
      Topics:
        - !Ref Topic

solution2
 7  2017-11-03 12:02:30

I think you need a AWS::SNS::TopicPolicy resource. Check out this link AWS::SNS::TopicPolicy

solution3
 2  2020-02-26 22:18:59

you can use this- i've removed the default condition which locks down own account

SNSAccessPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
     PolicyDocument:
       Id: <Yourtopic>
       Statement:
         -
           Action: 
            - "sns:Publish"
            - "SNS:GetTopicAttributes"
            - "SNS:SetTopicAttributes"
            - "SNS:AddPermission"
            - "SNS:RemovePermission"
            - "SNS:DeleteTopic"
            - "SNS:Subscribe"
            - "SNS:ListSubscriptionsByTopic"
            - "SNS:Publish"
            - "SNS:Receive"
           Effect: Allow
           Principal:
             AWS: "*"
           Resource:
             Ref: <Yourtopic>
     Topics:
       -
         Ref: <Yourtopic>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using CDK, SNS topic Policy Statement, use actions: ["sns:*"], Cloudformation results in "Policy statement action out of service scope!" Is to possible to create SNS topic with multiple email Recipients in cloudformation template? AWS Video Rekognition is not publishing results to SNS Topic How to add email subscription of SNS Topic on CloudFormation Script? AWS SNS: Different policy for multiple SourceOwner boto3 SNS: Add a filter policy while subscribing to a topic How to exclude cloudwatch alarns from SNS topic using filter policy? How to add AWS managed policy through CloudFormation How to use Firebase Cloud Messaging(FCM) topic with AWS SNS Can I create Slack subscriptions to an AWS SNS topic?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM