Open jdheyburn opened 3 years ago
When no policy is attached to an SNS topic, the default SNS topic is used, which is very permissive for what actions are typically required against it.
{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish", "SNS:Receive" ], "Resource": "arn:aws:sns:REGION:ACC_ID:test", "Condition": { "StringEquals": { "AWS:SourceOwner": "ACC_ID" } } } ] }
Attach topic policies to the SNS topics to replace the defaults assigned to them.
E.g.
data "aws_iam_policy_document" "metric_alarms" { policy_id = "metric_alarms" statement { sid = "__secure_statement_ID" effect = "Allow" principals { type = "AWS" identifiers = ["*"] } resources = [ aws_sns_topic.metric_alarms[0].arn ] actions = [ "SNS:Subscribe", "SNS:Receive", "SNS:Publish", ] condition { test = "StringEquals" variable = "AWS:SourceOwner" values = [ data.aws_caller_identity.current.account_id, ] } } } resource "aws_sns_topic_policy" "metric_alarms" { count = var.enable_negative_match_alerts ? 1 : 0 arn = aws_sns_topic.metric_alarms[0].arn policy = data.aws_iam_policy_document.metric_alarms.json }
Background
When no policy is attached to an SNS topic, the default SNS topic is used, which is very permissive for what actions are typically required against it.
Desired Change
Attach topic policies to the SNS topics to replace the defaults assigned to them.
E.g.