From 0ff72aa9fa7975efc6768e96373f655cd085da63 Mon Sep 17 00:00:00 2001
From: Thomas Poepping <PoeppingT@users.noreply.github.com>
Date: Wed, 19 Oct 2022 16:00:01 -0700
Subject: [PATCH] Add explicit SNS Publish permission to onboarding service for
 core-stack-listener. (#382)

Co-authored-by: PoeppingT <poeppt@amazon.com>
---
 resources/saas-boost-svc-onboarding.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/resources/saas-boost-svc-onboarding.yaml b/resources/saas-boost-svc-onboarding.yaml
index 286f69c4..cbcddb6c 100644
--- a/resources/saas-boost-svc-onboarding.yaml
+++ b/resources/saas-boost-svc-onboarding.yaml
@@ -347,7 +347,8 @@ Resources:
             Action:
               - sns:Publish
             Resource:
-              - !Sub arn:aws:sns:${AWS::Region}:${AWS::AccountId}:sb-*
+              - !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:sb-${Environment}-onboarding*
+              - !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:sb-${Environment}-core-stack-listener
           - Effect: Allow
             Action:
               - ssm:GetParameter*