Reputation: 55
AWS Cloudwatch alarm from Account A unable to publish to SNS topic in Account B
Just when I thought I had cross org permissions sorted I am stuck with CloudWatch alarms and SNS. Have tried several options but am not able to get the access policy right on the SNS topic. Cloudwatch and SNS topic are in the same region but different accounts in the same org. Surely I don't need lambda in the middle to manage this, AWS have cross org support for CloudWatch now. Few options below I have tried.
SNS Topic is in account A = 1111111111 Cloudwatch alarm is in account B = 22222222
Option 1 - Account B has publish rights to the SNS topic
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
Option 2 - Gave the Cloudwatch service access to publish to the SNS topic
{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal":
{
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
Option 3 - Cross org permissions, I updated the IAM role in account B too
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
Upvotes: 4
Views: 10724
Answers (2)
Reputation: 238051
Option 3 is correct. However, this is not IAM role in Acc B. It should be added as a statement in a topic policy of Acc A.
Assuming you have a default topic policy in Acc A, after adding the new statement, you would have:
SNS topic policy in ACC A
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111111111111"
}
}
},
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
]
}
Upvotes: 3
Reputation: 35146
Option 3 should work as per the AWS documentation but you said they're in the same region.
In this they're different regions. One is us-east-1 one is us-east-2. It is important for these to share the same region.
Also to validate option 3 should be an SNS topic policy, not an IAM user or role.
To modify this, go to the SNS topic in the console, select edit, then add to the statement in the "Access Policy" section.
Upvotes: 1
Related Questions
- AWS Cloudwatch can not publish to SNS Topic with SSE
- cross account SNS topic publish
- Filter messages published by cloudwatch alarms on an SNS topic to receive email notifications
- AWS CloudWatch Metric Alarm not able to notify via SNS
- Why AWS CloudWatch Alarm cannot send notification to encrypted SNS Topic?
- Cloudwatch Alarm Denied Access
- AWS Cloudwatch alarm didn't send alert
- CloudWatch alarm action only triggers SNS once
- Allowing CloudWatch Alarm to send to SNS in other account
- Subsequent CloudWatch Alarm notifications to SNS