Getting started with Amazon SNS SMS access management - Amazon Simple Notification Service
SMS IAM policiesManaging custom Amazon SNS IAM policiesResource-based policies

Getting started with Amazon SNS SMS access management

Important

The Amazon SNS SMS Developer Guide has been updated. Amazon SNS has integrated with AWS End User Messaging SMS for the delivery of SMS messages. This guide contains the latest information on how to create, configure, and manage your Amazon SNS SMS messages.

To enable SMS messaging in Amazon SNS, you need to grant Amazon SNS the necessary permissions to access your SMS resources and call the AWS End User Messaging SMS APIs on your behalf. There are two primary mechanisms that control this access:

  1. An IAM policy that grants access to AWS End User Messaging SMS APIs

  2. Resource-based policies to grant permission for AWS End User Messaging SMS resources

    By default, SMS resources such as origination IDs and opt-out lists have resource policies that grant Amazon SNS permission.

SMS IAM policies

SMS AWS Identity and Access Management (IAM) policies refer to the policies that grant Amazon SNS the necessary permissions to access and use AWS End User Messaging SMS APIs. These policies define the actions that Amazon SNS is allowed to perform when interacting with AWS End User Messaging SMS resources, such as sending SMS messages.

  1. If you are not using an Admin role, attach an IAM policy that includes the sms-voice APIs.

    If you are in the sandbox, you can start sending SMS messages to verified destination phone numbers without setting additional resource policies.

  2. If you requested a new origination identity, select the appropriate policy in the console. This grants Amazon SNS and AWS End User Messaging SMS access to the resource.

  3. If you want to use opt-outs, the default opt-out list doesn’t have a default resource policy. You must manually configure a resource policy in the AWS End User Messaging SMS to use the Amazon SNS APIs.

Use the following IAM policy to access all SMS related APIs in SNS:

Note

sms-voice:SendTextMessage and opt-out APIs are not present in the following example.

{
    "Effect": "Allow",
    "Principal": { "Service": "sns.amazonaws.com" },
    "Action": [
        "sns:*",
        "sms-voice:CreateVerifiedDestinationPhoneNumber",
        "sms-voice:DeleteVerifiedDestinationPhoneNumber",
        "sms-voice:GetAccountTier",
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribeDestinationPhoneNumbers",
        "sms-voice:VerifyDestinationPhoneNumber",
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribeSpendLimits",
        "sms-voice:DescribeConfigurationSets",
        "sms-voice:SetTextMessageSpendLimitOverride", 
        "sms-voice:UpdateRouteType", 
        "sms-voice:UpdateSenderId"
     ]
    "Resource": "*",
    "Condition": { "StringEquals": { "aws:SourceAccount": "<owner account>" } }
}

Use the following IAM policy to access all SMS (direct publish) related functionality in SNS: 

{
    "Effect": "Allow",
    "Principal": { "Service": "sns.amazonaws.com" },
    "Action": [
        "sns:CreateSMSSandboxPhoneNumber",
        "sns:DeleteSMSSandboxPhoneNumber",
        "sns:GetSMSSandboxPhoneNumber",
        "sns:ListSMSSandboxPhoneNumber",
        "sns:VerifySMSSandboxPhoneNumber",
        "sns:ListOriginationNumbers",
        "sns:CheckIfPhoneNumberIsOptedOut",
        "sns:GetSMSAttributes",
        "sns:SetSMSAttributes",
        "sns:Publish",
        "sms-voice:CreateVerifiedDestinationPhoneNumber",
        "sms-voice:DeleteVerifiedDestinationPhoneNumber",
        "sms-voice:GetAccountTier",
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribeDestinationPhoneNumbers",
        "sms-voice:VerifyDestinationPhoneNumber",
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribeSpendLimits",
        "sms-voice:DescribeConfigurationSets",
        "sms-voice:SetTextMessageSpendLimitOverride", 
        "sms-voice:UpdateRouteType", 
        "sms-voice:UpdateSenderId"
     ]
    "Resource": "*"
}

Managing custom Amazon SNS IAM policies

Custom IAM policies allow you to specify permissions for individual IAM users, groups, or roles, granting or restricting access to specific AWS resources and actions. When managing Amazon SNS resources, custom IAM policies allow you to tailor access permissions according to your organization's security and operational requirements.

Use the following steps to manage custom IAM policies for Amazon SNS:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. From the navigation pane, choose Policies.

  3. To create a new custom IAM policy, choose Create policy and choose SNS. To edit an existing policy, select the policy from the list and choose Edit policy.

  4. In the policy editor, define the permissions for accessing Amazon SNS resources. You can specify actions, resources, and conditions based on your specific requirements.

  5. To grant permissions for Amazon SNS actions, include relevant Amazon SNS actions such as sns:Publish, sns:Subscribe, and sns:DeleteTopic in your IAM policy. Define the ARN (Amazon Resource Name) of the Amazon SNS topics to which the permissions apply.

  6. Specify the IAM users, groups, or roles to which the policy should be attached. You can attach the policy directly to IAM users or groups, or associate it with IAM roles used by AWS services or applications.

  7. Review the IAM policy configuration to ensure it aligns with your access control requirements. Once verified, save the policy changes.

  8. Attach the custom IAM policy to the relevant IAM users, groups, or roles within your AWS account. This grants them the permissions defined in the policy for managing Amazon SNS resources.

Resource-based policies

Amazon SNS resource-based policies are used to control access to SMS messaging resources and manage permissions for sending messages on your behalf. These policies define who can perform actions on the SMS messaging resources, such as sending messages or managing origination identities.

By configuring resource-based policies, you can specify which AWS identities or accounts have permissions to access and interact with the SMS messaging functionality of Amazon SNS. This helps ensure security and compliance by restricting access to authorized users or systems while allowing them to utilize the SMS messaging capabilities provided by Amazon SNS.

Origination identities

When you send SMS messages using Amazon SNS, you can identify yourself to your recipients using an origination identity. Use the following resource-based policy to send SMS messages using an origination identity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com"
            },
            "Action": "sms-voice:SendTextMessage",
            "Resource": "arn:aws:sms-voice:us-east-1:555555555555:phone-number/phone-11aa2b3333c44444d55e6ffff77gggg8",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111111111111"
                }
            }
        }
    ]
}