Accessing SNS topic from other user

Question

I am assessing the security of an SNS topic and I noticed it has the following configuration:

{
    "Action": [
      "SNS:Receive",
      "SNS:Subscribe"
    ],
    "Principal": {
      "AWS": "*"
    },
    "Resource": "arn:aws:sns:us-east-1:topicowner:topic",
    "Effect": "Allow",
    "Sid": "__console_sub_0"
}

I am not the topic owner, however, given the fact it allows for anonymous access (or at least authenticated access for any AWS account), I assumed I could subscribe to it with the following CLI command:

aws sns subscribe --topic-arn "arn:aws:sns:us-east-1:topicowner:topic" --protocol email --notification-endpoint [email protected]

(I configured it yusing my AWS access key and secret)

But I got the followingn error instead:

An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn

Am I assuming wrong? Is there anything else I should try?

A.Khan A.Khan · Accepted Answer · 2019-01-14T16:44:01

Topic arn does not seem a valid one, it is missing AWS Account id. Correct syntax is:

arn:aws:sns:region:account-id:topicname

Just for correction, when you say given the fact it allows for anonymous access. It is not true, Principal wildcard means all users within AWS account not any anonymous user.

Also try adding region ‘—region us-east-1’

Accessing SNS topic from other user

1 Answers