Attach less restrictive SNS policies to topics #169
Description
Background
When no policy is attached to an SNS topic, the default SNS topic is used, which is very permissive for what actions are typically required against it.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:REGION:ACC_ID:test",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "ACC_ID"
}
}
}
]
}Desired Change
Attach topic policies to the SNS topics to replace the defaults assigned to them.
E.g.
data "aws_iam_policy_document" "metric_alarms" {
policy_id = "metric_alarms"
statement {
sid = "__secure_statement_ID"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [
aws_sns_topic.metric_alarms[0].arn
]
actions = [
"SNS:Subscribe",
"SNS:Receive",
"SNS:Publish",
]
condition {
test = "StringEquals"
variable = "AWS:SourceOwner"
values = [
data.aws_caller_identity.current.account_id,
]
}
}
}
resource "aws_sns_topic_policy" "metric_alarms" {
count = var.enable_negative_match_alerts ? 1 : 0
arn = aws_sns_topic.metric_alarms[0].arn
policy = data.aws_iam_policy_document.metric_alarms.json
}