AWS Deny Policy Role specific account

Question

I would like to create a policy in IAM Role AWS which affects DENY sns:DeleteTopic to a specific account.

I try this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "sns:DeleteTopic",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:userid": [
                        "AROA24JI6FVYT2EIWXNVM:elad",
                        "11111111111"
                    ]
                }
            }
        }
    ]
}

But it is not working.

Also, I want to do the same to Saml provider. Is it possible?

Thanks, Elad

Answer 1

What you are asking is not possible or does not 100% make sense. You can't deny access to another account via an IAM Role because the users in the other account will not be using that role to make the request.

Here are a few option I can think of but you may need to provide more information on how the entities in this external account are making requests to your account (assuming roles, direct requests with IAM authentication).

1. IAM entities from external account are denied access by default. You can enable other entities from accessing your topic by adding a "resource policy" to your SNS topic that grants them permissions. You can update your resource policy on your topics to ensure that permissions are not given to this account.

2. A user/role in another account may be assuming a role in your account to get permissions to delete a topic. If this is the case, update the roles' trust policy to prevent the users in the account from assuming your role.