Is the policy for the
SQS panther-aws-events-queue and
panther-input-data-notifications-queue supposed to be open to all SNS topics?
The policy for these queues is valid. The policy is open to any SNS topic, but before a topic can send messages, it must send an approval request to Panther. The approval request is then either approved or denied based on whether the requesting AWS account has been onboarded to Panther for monitoring. The reason for this AWS policy is that we cannot determine at deployment time which AWS accounts you want to monitor. Therefore, we move that logic to runtime. In summary, while any SNS topic can request to use this queue, only the ones approved by Panther can actually send messages.