What is difference between aws:SourceAccount and aws:SourceOwner AWS SNS access policy statements

Question

AWS documentation has examples of different SNS access control configurations.

There are two similar configuration examples:

The first one allows to publish notifications from another account's S3 bucket to SNS topic:

{
  "Effect": "Allow",
   "Principal": { 
    "Service": "s3.amazonaws.com" 
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:us-east-2:111122223333:MyTopic",
  "Condition": {
    "StringEquals": {
      "AWS:SourceAccount": "444455556666"
    }       
  }
}

The second one allows to publish notifications from another account's SES email to SNS topic:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "ses.amazonaws.com"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
  "Condition": {
    "StringEquals": {
      "aws:SourceOwner": "111122223333"
    }
  }
}

The difference is that the first example uses aws:SourceAccount and the second one uses aws:SourceOwner.

The docs has a dedicated paragraph called "aws:SourceAccount versus aws:SourceOwner" but the distinction between these two statements is stil unclear to me.

Could you please clarify the difference between aws:SourceAccount and aws:SourceOwner policy statements?

Answer 1

The difference can be seen only when the owner of a resource is different from the account that the resource belongs to. It's an advanced setup. Here is an excerpt from the official doc that gives an example of this kind of setup.

... it is possible for another account to own a resource in your account. For example, the trusting account might allow the trusted account to create new resources, such as creating new objects in an Amazon S3 bucket.

Source

Answer 2

1. SourceOwner is used for giving access to other AWS Services from a specific account

For example, we want to define a policy that allows only SES from the account 111122223333 to publish messages to the topic 444455556666:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-2
:444455556666:MyTopic",
      "Condition": {
        "StringEquals": {
          "aws:SourceOwner": "111122223333"
        }
      }
    }
  ]
}

2. SourceAccount is used for giving IAM roles access from an account to the topic.

For example, we want to define a policy that allows only the account 444455556666 to publish messages to the topic 111122223333:

{
  "Statement": [{
    "Effect": "Allow",
     "Principal": { 
      "AWS": "*"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:us-east-2
:111122223333:MyTopic",
    "Condition": {
      "StringEquals": {
        "AWS:SourceAccount": "444455556666"
      }
    }
  }]
}

Now for case #1, if you have only 1 account with you, it doesn't make sense because SES will use the same account as the SNS. But if you have more accounts, it brings a benefit in which you only allow SES of a particular account to send messages to your topic.

Hope it helps. If it is not clear, pls put comments, and I will try to explain more.

Putting more information to get things more clear.

1. Taking an example of S3 send SNS message. For this case, AWS will use the credentials of an internal S3 account and makes a call on behalf of your account, NOT from resource. Because of that, we need to use the aws:SourceAccount to perform validation in policy.

2. Taking an example of SES send SNS message. For this case, AWS will use the credential of an internal S3 account and make a call on behalf of your resource, NOT from account. Because of that, we need to use the aws:SourceOwner in policy.

I would recommend you refer to case by case from documentation to understand which one you need to use. But I do hope you understand the differences between the 2 of them now.

Answer 3

The difference is as others have described. It might be worth noting this from the GitHub issue: https://github.com/awsdocs/iam-user-guide/issues/111#issuecomment-1252880839

We don't plan to document aws:SourceOwner.
aws:SourceAccount was introduced as the preferred replacement.

So I would suggest using only aws:SourceAccount going forward.