How to send SMS through SNS and Cloudwatch?

Question

I am trying to send SMS to my Mobile when my EC2 instance stops.

1. I am automatically stopping my EC2 instance and now I want to send SMS to my mobile when it stops.
2. I created SNS topic with my mobile no. as subscriber.
3. I created an Alarm when the EC2 stops.
4. Under SNS > Mobile > Text messaging (SMS) > Text messaging preferences (Edit):

a. I selected "Default message type" as "Transactional".

b. I created a new IAM role.

IAM role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

SNS topic access policy

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-west-2:account-id:sns-topic-name",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "account-id"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:us-west-2:account-id:alarm:*"
        }
      }
    }
  ]
}

When the alarm is triggered, I am getting the below error:

{
  "actionState": "Failed",
  "stateUpdateTimestamp": 1561102479560,
  "notificationResource": "arn:aws:sns:us-west-2:account-id:sns-topic-name",
  "publishedMessage": null,
  "error": "Resource: arn:aws:cloudwatch:us-west-2:account-id:alarm:alarm-name is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-west-2:account-id:sns-topic-name"
}

I am unable to understand what permission is it expecting.

Answer 1

It seems the error is due to missing permissions on your IAM role for publishing messages to an SNS topic. Make arrangements to attach necessary permissions to the role you use or to the user, like this:

 {
  "Id": "Policy1415489375392",
  "Statement": [
    {
      "Sid": "AWSConfigSNSPolicy20150201",
      "Action": [
        "SNS:Publish"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:region:account-id:myTopic",
      "Principal": {
        "AWS": [
          "account-id1",
          "account-id2",
          "account-id3",
        ]
      }
    }
  ]
}

Answer 2

The cause of the error is most likely due to the policy having incorrect values. I'm not sure which values you changed to protect sensitive values, but you'd need to update sns-topic-name and account-id.

However, I would recommend another way of achieving your goals...

You can use Amazon CloudWatch Events to look out for a specific event (eg an instance changing state to Stopped) and have it send a message to Amazon SNS directly (without using an Alarm).

The steps are:

• In the Amazon CloudWatch console, click Rules
• Create rule
• Service name: EC2
• Event type: EC2 Instance State-change Notification
• Specific state(s): Stopped
• Choose Any instance or Specific instance Id(s)
• On the right, under Targets, click Add target
• SNS topic
• Select your topic

This will then send a message whenever the instance stops.