1

An Identity based policy does not require "Principal" to be specified as it is implicit. Applying the same justification to an SNS access control policy (which is a resource based policy), why is it required to specify the same SNS topic as "Resource" in the policy? For Buckets, a "Resource" helps in narrowing to specific prefixes etc., but what exactly is the point of having a (implicit) "Resource" in SNS access control policy ? i.e. the topic ARN is specified as the "Resource" but the policy is attached to the same topic. An example of SNS access control policy from AWS documentation is shown below for reference.

{
  "Statement": [{
    "Sid": "grant-1234-publish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "111122223333"
    },
    "Action": ["sns:Publish"],
    "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic"
  }]
}
Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23

1 Answers1

2

The syntax for defining policy statements requires Resource or NotResource. From docs:

Statements must include either a Resource or a NotResource element.

So you have to explicitly provide it. SNS topics don't use any special policy syntax, which would allow them not to have Resource component.

Thus, I don't think there is anything more to it. It's just a syntax requirement for correct policy statements.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • I was comparing this more from an IAM policy where Principal or NotPrincipal is not required as it is implicit - The syntax for Resource Policy does not seem consistent with IAM policy. – Abhishek Palakkal Kaliyath Aug 13 '20 at 05:35
  • 1
    @AbhishekPalakkalKaliyath I think there is some confusing between [Identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_id-based) with [Resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). They have different purposes, thus in the first ones there is no need for Principle. – Marcin Aug 13 '20 at 05:38
  • I agree but I feel it is duplicating the resource name in (Resource) policy when the policy is attached to the resource itself - SNS topic in this case. – Abhishek Palakkal Kaliyath Aug 13 '20 at 05:41
  • 1
    @AbhishekPalakkalKaliyath I understand. But that's a design decision AWS made long time ago. Could it be better? Probably yes. Is it going to change, probably not. So we have to live with it for the time being. – Marcin Aug 13 '20 at 05:44
  • 1
    Correct, also I think the reason for "Resource" being made mandatory could be because each service has its own set of resources with some actions specifically for a resource type eg:- In the case of Bucket, some actions apply for Bucket and other actions for Objects in a bucket. A resource could have subresources - Not true in the case of SNS topics but AWS probably wanted to be consistent with "Resource" element i.e. they did not want to make an exception on "Resource" element for resources without subresources. – Abhishek Palakkal Kaliyath Aug 13 '20 at 05:50