Reputation: 737
Why does an SNS access control policy require a Resource element to be specified - Is it not implicit?
An Identity based policy does not require "Principal" to be specified as it is implicit. Applying the same justification to an SNS access control policy (which is a resource based policy), why is it required to specify the same SNS topic as "Resource" in the policy? For Buckets, a "Resource" helps in narrowing to specific prefixes etc., but what exactly is the point of having a (implicit) "Resource" in SNS access control policy ? i.e. the topic ARN is specified as the "Resource" but the policy is attached to the same topic. An example of SNS access control policy from AWS documentation is shown below for reference.
{
"Statement": [{
"Sid": "grant-1234-publish",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic"
}]
}
Upvotes: 3
Views: 3492
Answers (1)
Reputation: 238091
The syntax for defining policy statements requires Resource or NotResource. From docs:
Statements must include either a Resource or a NotResource element.
So you have to explicitly provide it. SNS topics don't use any special policy syntax, which would allow them not to have Resource component.
Thus, I don't think there is anything more to it. It's just a syntax requirement for correct policy statements.
Upvotes: 3
Related Questions
- How do I create an AWS Access Point Policy, without getting "Error Policy has invalid resource"?
- AWS policy application failure for a topic with strange error
- AWS SNS Topic Policy Cloudformation
- AWS policy interpretation
- AWS SNS topic access policy does not prevent from users to subscribe
- AWS CLI: When is it necessary to add permission to a SNS topic?
- AWS default Access Policy SNS topics and SQS q's
- What is the purpose of 'resource' in an AWS resource policy?
- AWS SNS Policy IP Address Access
- S3 Policy not working when resource is specified