IAM policy allowing SMS publishing but not denying all SNS

Question

I want to set up IAM policies to allow an user to publish to SNS to send SMS and to publish to a specific SNS arn.

I have found a way to allow SMS publish without allowing any SNS publish : Authorization when sending a text message using AmazonSNSClient

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "*"
        }
    ]
}

But this policy is explicitly denying all other SNS publish, so I can't add a policy allowing a specific SNS.

The problem is that SMS publish does not have a specific arn.

So I am looking at conditions to find a way to limit the allow to publish only SMS. But the specific SMS parameters (PhoneNumber cf https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SNS.html#publish-property) cannot be filtered in condition :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "*",
            "Condition": {"Null":{"PhoneNumber":"false"}}
        }
    ]
}

Is there a way to accomplish such a policy ?

Answer 1

Actually to do the trick I found a way using an allow whit the NotResource JSON Policy Element (spec). I use this property to match the resources which do NOT have an ARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "NotResource": "arn:aws:sns:*:*:*"
        }
    ]
}

With this trick I can allow all sns Publish without ARN (but I don't know if there is any other services then SMS...).

This also allow me to allow specifics ARN in another policy.