3

I have the access policy set up like the below for an SNS topic. I thought I have allowed only the user2 to subscribe to the topic but user1 can subscribe the topic. How can I configure this for what I want to do?

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user1"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user2"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }
  ]
}
Milan Gatyás
  • 2,509
  • 1
  • 17
  • 23
jiminssy
  • 2,149
  • 6
  • 28
  • 45
  • Should we try to Deny * at the end? – Nghia Do Sep 25 '20 at 11:20
  • What are the IAM active policies of the `user1`, could you provide the details? Is he not ehaving .g. in administrator access? My assumption is that his policies is allowing him to subscribe to SNS topic. – Milan Gatyás Sep 25 '20 at 11:20
  • By default any new user woudn't have even access to sns. So there must be some other policy somewhere which allows it. – Marcin Sep 25 '20 at 11:25
  • Both `user1` and `user2` there have full SNS permission in their IAM user settings. I was hoping configuring specific users with `"Effect": "Allow"` would only allow those users only. – jiminssy Sep 25 '20 at 14:37
  • @jiminssy I don't think this is how policies behave. Only `Deny` permission overrides the `Allow` one. See https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html for more details – Milan Gatyás Sep 30 '20 at 12:01

1 Answers1

2

User1 can subscribe because it has an identity-based policy that allows the action (the full SNS permission). If you look at the policy evaluation logic, you'll see that either resource-based policies (the ones you added to the SNS topic) and identity-based policies (the full SNS permissions you added to user1) is enough to allow access.

When user1 tries to subscribe to the topic, IAM looks at both policies. The topic policy does not apply, but the SNS full access does, so the operation is allowed.

If you want to make sure that user1 can not subscribe, you can add a Deny policy to the SNS topic:

    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user1"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }

If you add this statement, when user1 tries to subscribe, IAM will see that there is a matching Deny statement and will reject the request.

If you want to make sure only user2 can subscribe, you can use a NotPrincipal with a reject:

    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::${account_id}:user/user2"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }

This matches all users except user2 and denies subscribing, no matter what other policies they might have.

Tamás Sallai
  • 3,195
  • 1
  • 14
  • 25