AWS sms-voice documentation change
Summary
Replaced general guidance about IAM policies with specific JSON examples for trust policy and permission policy, including detailed placeholders and optional KMS permissions for encrypted SNS topics
Security assessment
This change provides explicit IAM policy examples with security best practices like aws:SourceAccount and aws:ResourceAccount condition keys, and includes optional KMS permissions with specific encryption context conditions. However, there's no evidence this addresses a specific security vulnerability or incident - it appears to be routine documentation improvement for clarity and completeness.
Diff
diff --git a/sms-voice/latest/userguide/rcs-inbound.md b/sms-voice/latest/userguide/rcs-inbound.md index 0233b62e6..1cf03ac78 100644 --- a//sms-voice/latest/userguide/rcs-inbound.md +++ b//sms-voice/latest/userguide/rcs-inbound.md @@ -113,7 +113,69 @@ The Amazon SNS topic that you configure for two-way RCS messaging must allow AWS -Create an IAM role that AWS End User Messaging can assume to publish messages to your SNS topic. The role needs both a trust policy and a permission policy. The policies are identical to those used for SMS two-way messaging. - -The **trust policy** must allow the `sms-voice.amazonaws.com` service principal to call `sts:AssumeRole`. Include a condition that restricts access to your account ID using the `aws:SourceAccount` condition key. - -The **permission policy** must grant the `sns:Publish` action on your SNS topic ARN. You can optionally include permissions for encrypted SNS topics using `kms:GenerateDataKey` and `kms:Decrypt`. - -For complete IAM policy examples with JSON that you can copy, see [IAM policies for SNS topics](https://docs.aws.amazon.com//sms-voice/latest/userguide/two-way-sms-iam-policy.html) in the two-way SMS messaging documentation. The same policies apply to RCS two-way messaging. +Create an IAM role that AWS End User Messaging can assume to publish messages to your SNS topic. The role needs both a trust policy and a permission policy. + +The following is the **trust policy** for the IAM role. Replace `accountId` with the unique ID for your AWS account. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "SMSVoice", + "Effect": "Allow", + "Principal": { + "Service": "sms-voice.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "accountId" + } + } + } + ] + } + +The following is the **permission policy** for the IAM role. The `SMSVoiceAllowSNSPublish` Sid allows publishing to Amazon SNS topics and the `SMSVoiceAllowEncryptedSNSTopics` Sid is optional for encrypted Amazon SNS topics. Make the following changes: + + * Replace `partition` with the AWS partition that you use AWS End User Messaging in. + + * Replace `region` with the AWS Region that you use AWS End User Messaging in. + + * Replace `accountId` with the unique ID for your AWS account. + + * Replace `snsTopicName` with the name of the Amazon SNS topic that receives inbound messages. + + + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "SMSVoiceAllowSNSPublish", + "Effect": "Allow", + "Action": "sns:Publish", + "Resource": "arn:partition:sns:region:accountId:snsTopicName", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "accountId" + } + } + }, + { + "Sid": "SMSVoiceAllowEncryptedSNSTopics", + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:aws:sns:topicArn": "arn:partition:sns:region:accountId:snsTopicName", + "aws:CalledViaLast": "sns.amazonaws.com" + } + } + } + ] + }