Why can't I publish or subscribe to an Amazon SNS topic?

Last updated: 2022-02-08

I can't publish or subscribe to an Amazon Simple Notification Service (Amazon SNS) topic. How do I troubleshoot the issue?

Short description

An AWS Identity and Access Management (IAM) resource or identity can't publish or subscribe to an Amazon SNS topic without the required permissions.

To grant the IAM permissions required to publish or subscribe to an Amazon SNS topic, do one of the following based on your use case.

Note: Amazon SNS uses IAM identity-based and Amazon SNS resource-based access policies together to grant access to SNS topics. You can use an IAM policy to restrict user or role access to Amazon SNS actions and topics. An IAM policy can restrict access only to users within your AWS account, not to other AWS accounts. For more information, see IAM and Amazon SNS policies together.

Resolution

To grant another AWS service permissions to publish to an Amazon SNS topic

Your Amazon SNS topic's resource-based policy must allow the other AWS service to publish messages to the topic. Review your topic's access policy to confirm that it has the required permissions, and add them if needed.

To add the required permissions, edit your Amazon SNS topic's access policy so that it includes the following permissions statement.
Important: Replace <service> with the AWS service.

{
    "Sid": "Allow-AWS-Service-to-publish-to-the-topic",
    "Effect": "Allow",
    "Principal": {
        "Service": "<service>.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:your_region:123456789012:YourTopicName"
}

Important: These permissions allow anyone that has access to your SNS topic's Amazon Resource Name (ARN) to publish messages to the topic through the service endpoint. You can add global condition keys to restrict the publishing permissions to specific resources. The following example uses the arnLike condition operator and the aws:SourceArn global condition key. For more information, see Example cases for Amazon SNS access control.

Example IAM policy that restricts Amazon SNS publishing permissions to specific resources

Important: Replace <region> with the resource's AWS Region. Replace <account-id> with your account ID. Replace <resource-name> with the resource's name. Replace <service> with the AWS service.

{
    "Sid": "Allow-AWS-Service-to-publish-to-the-topic",
    "Effect": "Allow",
    "Principal": {
        "Service": "<service>.amazonaws.com"	 
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:your_region:123456789012:YourTopicName",
    "Condition": {
        "ArnLike": {
            "aws:SourceArn": "arn:aws:<service>:<region>:<account-id>:<resource-type>:<resource-name>"
        }
    }
}

Note: Amazon S3 doesn't support FIFO SNS topics. If there's an S3 ARN on the topic policy, then make sure that it isn't a path to a bucket folder. For example: arn:aws:s3:*:*:mys3-bucket/*

To allow an IAM user or role to subscribe and publish to an Amazon SNS topic

By default, only the topic owner can publish or subscribe to a topic. To allow other IAM entities to subscribe and publish to your topic, your topic's identity-based policy must grant the required permissions.

Important: Make sure that neither the IAM entity's policy nor the SNS topic's access policy explicitly denies access to the SNS resource. For more information, see The difference between explicit and implicit denies.

If the IAM entity and the SNS topic are in different AWS accounts

Do both of the following:

1.    Attach an IAM policy statement to the IAM entity that allows the entity to run the "sns:Subscribe" and "sns:Publish" actions. For instructions, see Adding and removing IAM identity permissions.

The following is an example IAM identity-based policy that allows an IAM entity to subscribe and publish to an SNS topic:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "sns:Subscribe"
            ],
            "Resource": "arn:aws:sns:your_region:123456789012:YourTopicName"
        }
    ]
}

2.    Attach an SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" and "sns:Publish" actions. For instructions, see How do I edit my Amazon SNS topic's access policy?

The following is an example Amazon SNS topic access policy that allows an IAM entity to subscribe and publish to an SNS topic:

{
    "Statement": [
        {
            "Sid": "Allow-SNS-Permission",
            "Effect": "Allow",
            "Principal": {
                "AWS": "111122223333"
            },
            "Action": [
                "sns:Publish",
                "sns:Subscribe"
            ],
            "Resource": "arn:aws:sns:your_region:123456789012:YourTopicName"
        }
    ]
}

Note: The Principal can be an IAM identity-based user or role, or AWS account number. For more information, see AWS JSON policy elements: Principal.

If the IAM entity and the SNS topic are in the same account

Do either of the following, but not both:

Attach an IAM policy statement to the IAM entity that allows the entity to run the "sns:Subscribe" and "sns:Publish" actions.

-or-

Attach an SNS policy statement to your topic's access policy that allows the IAM entity to run the "sns:Subscribe" and "sns:Publish" actions.

For example policy statements, see the If the IAM entity and the SNS topic are in different AWS accounts section of this article.

(For topics with server-side encryption (SSE) activated) Confirm that your topic has the required AWS Key Management (AWS KMS) permissions

If your topic has SSE activated, then your Amazon SNS topic must use an AWS KMS key that is customer managed. This KMS key must include a custom key policy that gives other AWS services sufficient key usage permissions.

The following permissions are the minimum requirements:
"kms:Decrypt"
"kms:GenerateDataKey*"

To set up the required AWS KMS permissions, do the following:

1.    Create a new KMS key that is customer managed and includes the required permissions for the other AWS service.

2.    Configure SSE for your Amazon SNS topic using the custom KMS key you just created.

3.    Configure AWS KMS permissions that allow the other AWS service to publish messages to your encrypted topic.

Example IAM policy statement that allows another AWS service to publish messages to an encrypted SNS topic
Important: Replace <service> with the AWS service.

{
    "Sid": "Allow-a-service-to-use-this-key",
    "Effect": "Allow",
    "Principal": {
        "Service": "<service>.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}