Home > Blockchain >  Creating policy to give external AWS account access to SNS
Creating policy to give external AWS account access to SNS

Time:10-30

I am trying to create a policy for my SNS topic, for it to be accessed by an external AWS account.

I am doing this via CDK. So I used this code do what I want:

sns.addToResourcePolicy(new PolicyStatement({
    actions: ["sns:Subscribe" , "sns:Publish"],
    effect: Effect.ALLOW,
    resources : [sns.topicArn],
    principals: [new AccountPrincipal(123456789)]
}));

Where 123456789 is the external account ID

This is generating this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Publish"
      ],
      "Resource": "arn:aws:sns:eu-west-1:987654321:NotificationSNS"
    }
  ]
}

Though I saw in documentation here :

{
  "Id": "Policy_ID",
  "Statement": [
    {
      "Sid": "AWSConfigSNSPolicy",
      "Action": [
        "sns:Publish"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:region:account-id:myTopic",
      "Principal": {
        "AWS": [
          "account-id1",
          "account-id2",
          "account-id3"
        ]
      }
    }
  ]
}

Notice that in this case we are using account-id1 instead of arn:aws:iam::account-id:root.

Wanted to check whether these are equivalent.

CodePudding user response:

Wanted to check whether these are equivalent.

Yes, they are equivalent as explained in the AWS docs:

The account ARN and the shortened account ID behave the same way.

Page link:https//www.codepudding.com/Blockchain/592743.html

Prev:Vue 3 <script setup> issues
Next:Python: threading and tkinter
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding