5

AWS documentation has examples of different SNS access control configurations.

There are two similar configuration examples:

The first one allows to publish notifications from another account's S3 bucket to SNS topic:

{
  "Effect": "Allow",
   "Principal": { 
    "Service": "s3.amazonaws.com" 
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:us-east-2:111122223333:MyTopic",
  "Condition": {
    "StringEquals": {
      "AWS:SourceAccount": "444455556666"
    }       
  }
}

The second one allows to publish notifications from another account's SES email to SNS topic:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "ses.amazonaws.com"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
  "Condition": {
    "StringEquals": {
      "aws:SourceOwner": "111122223333"
    }
  }
}

The difference is that the first example uses aws:SourceAccount and the second one uses aws:SourceOwner.

The docs has a dedicated paragraph called "aws:SourceAccount versus aws:SourceOwner" but the distinction between these two statements is stil unclear to me.

Could you please clarify the difference between aws:SourceAccount and aws:SourceOwner policy statements?

Aleksei Chernenkov
  • 991
  • 1
  • 8
  • 23

3 Answers3

5

The difference can be seen only when the owner of a resource is different from the account that the resource belongs to. It's an advanced setup. Here is an excerpt from the official doc that gives an example of this kind of setup.

... it is possible for another account to own a resource in your account. For example, the trusting account might allow the trusted account to create new resources, such as creating new objects in an Amazon S3 bucket.

Source

tamakisquare
  • 16,659
  • 26
  • 88
  • 129
  • Thank you, for your answer! Can I specify both `SourceOwner` and `SourceAccount` in conditions? Does it mean that the principal (the one who makes an action) must be owned by `SourceOwner` and live in `SourceAccount`? – Aleksei Chernenkov Oct 21 '20 at 12:31
  • I have never tried that myself. If I were to guess, I think this is doable and my understanding is exactly as you described. – tamakisquare Oct 22 '20 at 15:36
  • 1
    FYI. `aws:SourceOwner` doesn't even have a definition in the AWS documentation. [github issue](https://github.com/awsdocs/iam-user-guide/issues/111) – tamakisquare Oct 22 '20 at 15:40
2

1. SourceOwner is used for giving access to other AWS Services from a specific account

For example, we want to define a policy that allows only SES from the account 111122223333 to publish messages to the topic 444455556666:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-2
:444455556666:MyTopic",
      "Condition": {
        "StringEquals": {
          "aws:SourceOwner": "111122223333"
        }
      }
    }
  ]
}

2. SourceAccount is used for giving IAM roles access from an account to the topic.

For example, we want to define a policy that allows only the account 444455556666 to publish messages to the topic 111122223333:

{
  "Statement": [{
    "Effect": "Allow",
     "Principal": { 
      "AWS": "*"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:us-east-2
:111122223333:MyTopic",
    "Condition": {
      "StringEquals": {
        "AWS:SourceAccount": "444455556666"
      }
    }
  }]
}

Now for case #1, if you have only 1 account with you, it doesn't make sense because SES will use the same account as the SNS. But if you have more accounts, it brings a benefit in which you only allow SES of a particular account to send messages to your topic.

Hope it helps. If it is not clear, pls put comments, and I will try to explain more.

Putting more information to get things more clear.

  1. Taking an example of S3 send SNS message. For this case, AWS will use the credentials of an internal S3 account and makes a call on behalf of your account, NOT from resource. Because of that, we need to use the aws:SourceAccount to perform validation in policy.

  2. Taking an example of SES send SNS message. For this case, AWS will use the credential of an internal S3 account and make a call on behalf of your resource, NOT from account. Because of that, we need to use the aws:SourceOwner in policy.

I would recommend you refer to case by case from documentation to understand which one you need to use. But I do hope you understand the differences between the 2 of them now.

eatsfood
  • 950
  • 2
  • 21
  • 31
Nghia Do
  • 2,588
  • 2
  • 17
  • 31
  • Thank you for your response! But it is still not clear to me. Can I use `SourceAccount` condition with `Service: ses.aws.com` principal? What would be difference with `SourceOwner` + `Service: ses.aws.com`. My examples (in the question) seems absolutely equal: they both use `Service: ...` principal but they use different conditions. What would be the difference if I use the same principal (e.g. ses.amazonaws.com) with different conditions? – Aleksei Chernenkov Sep 10 '20 at 04:46
  • Hi, Thank you for making things clear. The section that explains "S3 account makes a call on behalf of your account " definitely helps me to clear my doubt. May I know how do I know if the AWS resource is calling on behalf of our account or resource? Will the documentation specifically state it? For the S3 send SNS message example, I could not find the documentation which state the s3 will call on behalf of our account. If the documentation does exist, can anyone help to point out the documentation? – Jin Tan Dec 27 '22 at 04:52
  • Unfortunately nothing in this response is clear. The question is "what's the difference", but that isn't shared here. – Warren Parad Jan 15 '23 at 17:51
1

The difference is as others have described. It might be worth noting this from the GitHub issue: https://github.com/awsdocs/iam-user-guide/issues/111#issuecomment-1252880839

We don't plan to document aws:SourceOwner.
aws:SourceAccount was introduced as the preferred replacement.

So I would suggest using only aws:SourceAccount going forward.

MEMark
  • 1,493
  • 2
  • 22
  • 32