Amazon SNS Policy to restrict subscriptions is not working

Question

I am creating one SNS topic in account A with below policy:

{
     "Sid": "Give Access to Different Account Queues to subscribe to my topic",
     "Effect": "Allow",
     "Principal":{
       "AWS": "AccountId of Account B"
     },
     "Action": "sns:Subscribe",
     "Resource": "Arn of my SNS topic present in Account A",
     "Condition": {
       "StringEquals": {
          "sns:Protocol": "sqs"
       },
       "ForAllValues:StringEquals": {
          "sns:Endpoint": [
             "Arn of Queue A present in Account B", "Arn Queue B present in Account B"
          ]
       }
     }
  }

After creating the above topic and policy in Account A. Then, I am logging into Account B through console and trying to subscribe Queue C to my SNS topic then also subscription is successful and queue is getting message for confirming subscription! But ideally after above policy only Queue A and Queue B should be able to subscribe to My SNS topic.

Answer 1

Your policy worked perfectly fine for me, but I had to change the Principal to reference arn:aws:iam::ACCOUNT-B:root. (I can't remember where I got that from, but it appeared at some stage.)

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:root"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:ap-southeast-2:ACCOUNT-A:topic",
      "Condition": {
        "StringEquals": {
          "sns:Protocol": "sqs"
        },
        "ForAllValues:StringEquals": {
          "sns:Endpoint": [
            "arn:aws:sqs:ap-southeast-2:ACCOUNT-B:queue1",
            "arn:aws:sqs:ap-southeast-2:ACCOUNT-B:queue2"
          ]
        }
      }
    }
  ]
}

I was able to subscribe from queue1 and queue2, but not queue3.