IAM policies for Amazon SNS topics
If you want AWS End User Messaging SMS to use an existing IAM role or if you create a new role, attach the following policies to that role so that AWS End User Messaging SMS can assume it. For information about how to modify the trust relationship of a role, see Modifying a Role in the IAM user guide.
The following is the trust policy for the IAM role. In the following IAM policy, make the following changes:
-
Replace
accountIdwith the unique ID for your AWS account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SMSVoice", "Effect": "Allow", "Principal": { "Service": "sms-voice.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" } } } ] }
The following is the permission policy for the IAM
role. The SMSVoiceAllowSNSPublish Sid is a permission policy to allow for
publishing to Amazon SNS topics and the SMSVoiceAllowEncryptedSNSTopics Sid is an
option for encrypted Amazon SNS topics.
In the following IAM permission policy, make the following changes:
-
Replace
partitionwith the AWS partition that you use AWS End User Messaging SMS in. -
Replace
regionwith the AWS Region that you use AWS End User Messaging SMS in. -
Replace
accountIdwith the unique ID for your AWS account. -
Replace
snsTopicArnwith the Amazon SNS topics that will receive messages.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SMSVoiceAllowSNSPublish", "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:partition:sns:region:accountId:snsTopicArn", "Condition": { "StringEquals": { "aws:ResourceAccount": "accountId" } } }, { "Sid": "SMSVoiceAllowEncryptedSNSTopics", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:sns:topicArn": "arn:partition:sns:region:accountId:snsTopicArn", "aws:CalledViaLast": "sns.amazonaws.com" } } } ] }
