Addition of policy snippet for SNS access policy

[sciencepal]

Describe the feature

Currently, the AddPermission feature on SNS topics only allows AWS Account IDs to be added to the policy. However, there have been use cases where I needed to add policy statements with AWS Service principals or specific conditions like Stringequals. Currently the only way to do this is to replace the entire policy. May I request a feature to add a policy blob or support addition of Service principals and conditions?

Use Case

Quite often, I needed to add policy statements with AWS Service principals or specific conditions like Stringequals. Currently the only way to do this is to replace the entire policy.

Proposed Solution

May I request a feature to add a policy blob or support addition of Service principals or conditions?

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

Boto 1.35.22

Environment details (OS name and version, etc.)

MacOS Sonoma 14.6.1

[tim-finnigan]

Thanks for reaching out. Since the add_permission command uses the AddPermission API you referenced, this feature request would need to go to the SNS team. I can reach out to them internally on your behalf with this request. Before doing that, could you provide a specific example? For example — a code snippet of what you are trying to do and how you are currently blocked. If you can share any more details on your use case please let us know.

[sciencepal]

Hi @tim-finnigan , thanks for the response. I am currently trying to enable s3 events to be pushed to SNS. Every time I want a new bucket's notifications (cross-account) to the SNS topic, I need to allow service principal s3 for that bucket in the SNS policy. I want to automate this permission addition to SNS policy via boto / Python lambda.

[tim-finnigan]

Thank for following up — I heard back from someone internally who highlighted that the SNS API SetTopicAttributes (boto3 command set_topic_attributes) can be used to set up the SNS topic policy with AWS Service principals and conditions based on your requirements.

To remove the ability to change topic permissions, you must deny permissions to the AddPermission, RemovePermission, and SetTopicAttributes actions in your IAM policy. You should be able to use SetTopicAttributes to automate the process. Here is a sample policy to append a service principal using boto3/Python Lambda:

import boto3
import json

client = boto3.client('sns')
topic_arn = 'arn:aws:sns:us-east-1:xxxxxxxxxx:SetTopicAttributes'

def lambda_handler(event, context):
    
    response = client.get_topic_attributes(
    TopicArn=topic_arn
    )
    policy = json.loads(response['Attributes']['Policy'])
    print(json.dumps(policy))

    policy['Statement'].append({
        "Sid": "AllowS3ToPublish",
        "Effect": "Allow",
        "Principal": {
            "Service": "s3.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": topic_arn
    })

    response = client.set_topic_attributes(
        TopicArn=topic_arn,
        AttributeName='Policy',
        AttributeValue=json.dumps(policy)
    )
    
    return "success"

Please let us know if that addresses your use case or if you had any follow up questions.