SNS cross account subscription with additional layer

Question

We own an AWS Account, account A. We rely on an external team to publish messages to their SNS topic, which is in their account B. We use an SQS queue in account A to subscribe to the SNS topic in account B. Account A has been whitelisted by the owner of account B to subscribe to the SNS topic.

Now, we would like to subscribe to the SNS topic in Account B for multiple (new) accounts. However, the team that owns account B does not have the capacity to manually whitelist the many accounts we will be creating.

Is there a way for us to delegate or proxy permissions from account A to all the new accounts that we are creating, via something like an IAM Role created in account A?

Answer 1

If you can't rely on the owners of Account-B to do anything for you, then your only option would be:

• Create your own SNS Topic in Account-A (Topic-A) where you can manage subscriptions
• Create an AWS Lambda function that will send messages to Topic-A
• Subscribe the Lambda function to your existing Queue-A, so that any message sent to Queue-A will be re-sent to Topic-A
• Have all the accounts use Topic-A as if it was Topic-B

This way, you can use your existing SQS queue (Queue-A) as a 'relay' to a new SNS topic (Topic-A) under your control. You would also need to change your current apps that consume from Queue-A to consume from a new queue that is subscribed to Topic-A.

Answer 2

Your current situation is:

• Amazon SQS queue (Queue-A) in Account-A owned by you
• Amazon SNS topic (Topic-B) in Account-B owned by somebody else
• Permissions have been added to Topic-B that allows Account-A to subscribe to the topic

The above has worked well.

New requirements:

• Allow Account-C and Account-D to subscribe to Topic-B
• The owner of Account-B does not wish to modify the permissions on Topic-B to allow these subscription requests

Solution

Instead of Account-C and Account-D sending a Subscribe() request, ask the owner of Topic-B to directly subscribe the new queues.

You say that "the team that owns account B does not have the capacity to manually whitelist the many accounts we will be creating."

This is based on the idea that Account-C and Account-D should, themselves, send the Subscribe request to Topic-B. Instead, I am recommending that you provide the ARNs of Queue-C and Queue-D to the team that owns Topic-B and ask them to add these queues as subscribers. This does not require any change to the permission policy on Topic-B.

However, a couple of things to note:

• Queue-C and Queue-D will need to confirm the subscription. The easiest way to do this is to view the initial message sent to the queue after being subscribed to the topic, copy the subscription URL shown in the message and then paste it into a web browser. This is a one-off process.
• Queue-C and Queue-D will need to add permission to allow Topic-B to send a message to their queue. You probably have this in place already for Queue-A. The policy would look like:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:ap-southeast-2:ccc:my-queue/SQSDefaultPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:ap-southeast-2:ccc:my-queue",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:ap-southeast-2:bbb:their-topic"
        }
      }
    }
  ]
}

See also:

• Sending Amazon SNS messages to an Amazon SQS queue in a different account - Amazon Simple Notification Service
• Using Amazon SNS for system-to-system messaging with an Amazon SQS queue as a subscriber - Amazon Simple Notification Service

Answer 3

The problem is that account B is trying to give permission to a specific user of account A. Like you mentioned, this can be an issue if you need to setup multiple accounts.

You can solve this in multiple ways.

1. Account B gives the root of Account A permission. Then, Account A has full permission to delegate the access to any IAM roles / users. Here is a blog post contains this method of setup https://aws.amazon.com/blogs/compute/cross-account-integration-with-amazon-sns/
2. Create an IAM group in Account A, and assign users to the group. Then, in Account B give the permission to Account A's group instead of the specific user. Here is an example of providing access via groups

Please note that if you are going with solution #1 that any IAM user in account A will be able to access the SNS resource. If multiple applications are running in account A this could be an issue.