By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restricting Origination Ids to IAM roles

0

Hi Team, I want to utilize SNS to send transactional SMS messages to customers in multiple countries, specifically for OTPs and important notifications. I understand that I need to provision multiple origination Identities, one set for OTP use-case and another set for notifications.

Is it possible to restrict certain Origination Ids (Created for OTP use case) to be seen only to a specific IAM role. Lets say the role is for Cognito and SNS integration. And, other origination Ids to be seen only to other IAM Role used by my web-application backend to send important notifications via SMS utilizing SNS .

Topics
Security, Identity, & ComplianceApplication IntegrationFront-End Web & MobileBusiness Applications
Tags
AWS Identity and Access ManagementAmazon CognitoAmazon Simple Notification Service (SNS)Amazon Pinpoint
Language
English
Jitender
asked a month ago287 views
1 Answer
-1

yes it is possible. You can define IAM policies that allow or deny access to SNS origination identities based on various conditions, including the identity itself, the action being performed, and the IAM role or user attempting the action. Here's an example of how you can restrict access to specific origination identities for different IAM roles:

Define an IAM policy that allows access to specific origination identities for the IAM role used by your Cognito and SNS integration

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:ORIGINATION_ID_1",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:iam::ACCOUNT_ID:role/CognitoRole"
                }
            }
        }
    ]
}

Define another IAM policy that allows access to different origination identities for the IAM role used by your web application backend:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:ORIGINATION_ID_2",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:iam::ACCOUNT_ID:role/WebAppRole"
                }
            }
        }
    ]
}

Replace REGION, ACCOUNT_ID, ORIGINATION_ID_1, ORIGINATION_ID_2, CognitoRole, and WebAppRole with the appropriate values for your environment.

With these IAM policies in place, the IAM role associated with your Cognito integration will only be able to publish messages using the specified origination identity, and the IAM role associated with your web application backend will only be able to publish messages using the other specified origination identity.

profile picture
EXPERT
Adeleke Adebowale J
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Jitender
    a month ago

    Hi Adeleke, Thanks for you response. Can you explain how can I specify multiple origination identities using Resource attribute. Suppose the WebAppRole should have access to 3 origination numbers (10DLC numbers), that I provisioned in Amazon Pinpoint Console. Can I add all three resources/number under same IAM policy.

  • Adeleke Adebowale J EXPERT
    a month ago

    Yes, you can specify multiple origination identities (e.g., 10DLC numbers) in the Resource attribute of an IAM policy by providing multiple ARNs (Amazon Resource Names) separated by commas. Here's how you can modify the IAM policy to allow the WebAppRole IAM role to have access to three origination numbers { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": [ "arn:aws:sns:REGION:ACCOUNT_ID:ORIGINATION_ID_1", "arn:aws:sns:REGION:ACCOUNT_ID:ORIGINATION_ID_2", "arn:aws:sns:REGION:ACCOUNT_ID:ORIGINATION_ID_3" ], "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:iam::ACCOUNT_ID:role/WebAppRole" } } } ] } In this policy:Replace REGION, ACCOUNT_ID, ORIGINATION_ID_1, ORIGINATION_ID_2, and ORIGINATION_ID_3 with the appropriate values for your environment. Each origination identity has its own ARN, and you can specify them in the Resource array. The WebAppRole IAM role is granted permission to publish messages using any of the three specified origination identities.The StringEquals condition ensures that only the WebAppRole IAM role is allowed to publish messages using the specified origination identities.

  • Adeleke Adebowale J EXPERT
    a month ago

    By specifying multiple origination identities in the Resource attribute of the IAM policy, you can control access to all three origination numbers using a single policy.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content