Amazon SNS API permissions: Actions and resources reference - Amazon Simple Notification Service
Policy quotasValid Amazon SNS policy actionsService-specific keys

Amazon SNS API permissions: Actions and resources reference

The following list grants information specific to the Amazon SNS implementation of access control:

  • Each policy must cover only a single topic (when writing a policy, don't include statements that cover different topics)

  • Each policy must have a unique policy Id

  • Each statement in a policy must have a unique statement sid

Policy quotas

The following table lists the maximum quotas for a policy statement.

Name Maximum quota

Bytes

30 kb

Statements

100

Principals

1 to 200 (0 is invalid.)

Resource

1 (0 is invalid. The value must match the ARN of the policy's topic.)

Valid Amazon SNS policy actions

Amazon SNS supports the actions shown in the following table.

Action Description
sns:AddPermission Grants permission to add permissions to the topic policy.
sns:DeleteTopic Grants permission to delete a topic.
sns:GetDataProtectionPolicy Grants permission to retrieve a topic's data protection policy.
sns:GetTopicAttributes Grants permission to receive all of the topic attributes.
sns:ListSubscriptionsByTopic Grants permission to retrieve all the subscriptions to a specific topic.
sns:ListTagsForResource Grants permission to list all tags added to a specific topic.
sns:Publish Grants permission to both publish and publish batch to a topic or endpoint. For more information, see Publish and PublishBatch in the Amazon Simple Notification Service API Reference.
sns:PutDataProtectionPolicy Grants permission to set a topic's data protection policy.
sns:RemovePermission Grants permission to remove any permissions in the topic policy.
sns:SetTopicAttributes Grants permission to set a topic's attributes.
sns:Subscribe Grants permission to subscribe to a topic.

Service-specific keys

Amazon SNS uses the following service-specific keys. You can use these in policies that restrict access to Subscribe requests.

  • sns:endpoint—The URL, email address, or ARN from a Subscribe request or a previously confirmed subscription. Use with string conditions (see Example policies for Amazon SNS) to restrict access to specific endpoints (for example, *@example.com).

  • sns:protocol—The protocol value from a Subscribe request or a previously confirmed subscription. Use with string conditions (see Example policies for Amazon SNS) to restrict publication to specific delivery protocols (for example, https).

Important

When you use a policy to control access by sns:Endpoint, be aware that DNS issues might affect the endpoint's name resolution in the future.