Merge pull request #2622 from ASFHyP3/restrict-sns-perms

restrict sns publish to same region and account
ASFHyP3 · Feb 25, 2025 · 6ecbba7 · 6ecbba7
2 parents 861e58e + df6ccbe
commit 6ecbba7
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - `ARIA_S1_GUNW` job type to hyp3-edc-uat deployment.
-- All jobs now have `sns:Publish` permissions for all SNS topics.
+- All jobs now have `sns:Publish` permissions for SNS topics in the same AWS region and account for the purpose of sending messages to a co-located deployment of <https://github.com/ASFHyP3/ingest-adapter>.
 
 ### Changed
 - The reserved `bucket_prefix` job spec parameter has been renamed to `job_id` and can be referenced as `Ref::job_id` within each step's `command` field.

diff --git a/apps/compute-cf.yml.j2 b/apps/compute-cf.yml.j2
@@ -179,7 +179,7 @@ Resources:
             Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
           - Effect: Allow
             Action: sns:Publish
-            Resource: "arn:aws:sns:*"
+            Resource: !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:*"
 
   BatchServiceRole:
     Type: {{ 'Custom::JplRole' if security_environment in ('JPL', 'JPL-public') else 'AWS::IAM::Role' }}