Add service to SNS policy

Question

I'm automating cloudtrail creation in multiple accounts using python boto3. My issue is that create_trail doesn't automatically create the sns topic to associate with the trail. create_trail expects the sns topic to already exist.

I can create the sns topic with boto, but I can't seem to set the policy for the topic to allow cloudtrail to publish to the topic.

This is what the correct policy looks like in the console:

{
  "Sid": "AWSCloudTrailSNSPolicy20150319",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-east-1:123456678912:us-east-1-trail"
}

There doesn't seem to be a way to give permissions to a service with boto:

client.add_permission(
    TopicArn=arn,
    Label='AWSCloudTrailSNSPolicy20150319',
    AWSAccountId=[
        '12345678912'
    ],
    ActionName=[
        'Publish',
    ]
)

If I add the account here the create_trail call still fails with:

An error occurred (InsufficientSnsTopicPolicyException) when calling the CreateTrail operation: SNS Topic does not exist or the topic policy is incorrect!

Is there a way to just give permissions to a service or to automatically set this when creating the trail or sns topic?

Answer 1

I received the exact same error when I used Cloud Trail with SNS via Terraform.

The problem is that in Terraform docs it is written that the sns_topic_name is:

sns_topic_name - (Optional) Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

When I entered the SNS topic name - it gave me the mentioned error.

When I changed it to the ARN instead - it worked.

Answer 2

Perhaps use SetTopicAttributes (http://docs.aws.amazon.com/sns/latest/api/API_SetTopicAttributes.html). This topic discusses allowing cloudwatch events to publish to an SNS topic - http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/resource-based-policies-cwe.html