How to fix ERORR "Your budget must have permissions to send a notification to your topic " on AWS

Question

I trying to implementing AWS Budgets in my AWS Organization/Member Account and trigger the SNS topic present in Root Account.

AWS Account hierarchy :

• In the Member/ Organization Account (XYZ), I have created an AWS budget.
• When the budget threshold is crossed, it publish a message to the SNS topic that is been created in the Root AWS Account (ABC).
• The SNS Topic will trigger a lambda function to perform some business logic.

Architecture :

Issue is that when i paste the Root account SNS Topic ARN in Member account AWS Budget setting its throws this error -> "Your budget must have permissions to send a notification to your topic"

So, I followed the steps mentioned in the AWS Doc : https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-sns-policy.html and added SNS Topic Access policy

But still getting the same error.

SNS Topic Access Policy :

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:ROOT_ACCOUNT_ID:AWS_Sandbox_Budget",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "*"
        }
      }
    },
    {
      "Sid": "AWSBudgetsSNSPublishingPermissions",
      "Effect": "Allow",
      "Principal": {
        "Service": "budgets.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:ROOT_ACCOUNT_ID:AWS_Sandbox_Budget",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "*"
        }
      }
    }
  ]
}

How do i fix this ?

PLEASE help me fix this issue, I don't want to move the Root account Architecture to member account.

Answer 1

Cross Account SNS Config not supported

Contacted the AWS Premium Support for more details and here is the response.

---

Warm Greetings from AWS Premium Support.

I understand that you are trying to configure a Budget alert to send the notifications to the SNS topic in Another Account. And while creating the Budget alert you are getting an error "Your budget must have permissions to send a notification to your topic.” even when the Topic has the required permissions. Please correct me in case I might have misunderstood the issue.

To investigate this issue, I have tried replicating similar setup in my test environment by creating SNS topic and Budget notification[1] in different Account and observed that even when the SNS topic has the required permissions mentioned here[1] Budget console threw the error "Your budget must have permissions to send a notification to your topic.”.

Further, I tried researching about this at my end and based on investigation I would like to inform you that AWS Budgets service currently doesn’t support cross account SNS notifications[2]. This might be the reason that Console showed an error message such as “Your budget must have permissions to send a notification to your topic.”[3] even though the cross account topic has permissions for the AWS budgets service to publish notifications to it.

Moving further, I would like to share that our Development Team is aware about this limit and there is a feature request for supporting cross account SNS topic notifications with AWS Budget. I went ahead and conveyed your requirement to the Service team on your behalf so that the team will be aware of the increasing number of customers required/requesting this feature. You can be assured that Budget team works meticulously towards providing a better customer experience by adding different functionality to the service. However, I am afraid I won't be able to provide any ETA on the resolution or release of the new features as being a support engineer, we have very limited visibility in backend development teams’ working queue/roadmap. Therefore, I would kindly request you to keep an eye on Budget release history for updated information or announcements about new updates:

[+] https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/History.html

You can also keep track of the updates and improvements on the Budget by referring below pages:

[+] https://aws.amazon.com/new/ [+] https://aws.amazon.com/blogs/

Having said that, as a workaround to send the notification from Account A to Account B would be by adding a Lambda function as an intermediary. You can send budget notifications to an SNS topic in the same account. This SNS topic can have a subscription to a Lambda function which resides in a different account (Eg: Account B). This Lambda function will need to have a custom logic to process the event coming to it based on your requirements, and then send the notification to the SNS topic (Account B) using SNS Publish API call [4], if you wish to take further actions using the notification received from the topic. The workflow would look like share below:

Possible Solution :

AWS Budgets -> SNS topic (same account i.e. Account A) -> Lambda function (Account B) -> SNS topic (Account B)

I sincerely regret the inconvenience caused due to this limitation with AWS Budget. However, I hope that provided workaround will be useful to you for achieving the needed requirement.

---

The AWS Technical team has contacted the AWS Budget internal service team and forwarded the feedback. Hope this feature will be available in the future.

Answer 2

From the AWS Budgets documentation:

Amazon SNS topics must be in the same account as the Budgets you're configuring. Cross-account Amazon SNS isn't supported."

Link

In order for the design to work the actual architecture should be:

1. Create a budget in the member account
2. Create a SNS topic in the member account
3. Create a SNS subscription for the lambda function from the root account to the SNS topic in the member account
4. If it doesn't work - check the lambda permissions or the SNS policy

Answer 3

Replace your SID section "AWSBudgetsSNSPublishingPermissions" with the following, it should work.

{
   "Sid": "AWSBudgetsSNSPublishingPermissions",
   "Effect": "Allow",
   "Principal": {
       "Service": "budgets.amazonaws.com"
    },
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:us-east-1:ROOT_ACCOUNT_ID:AWS_Sandbox_Budget"
}