Clever Geek Handbook

Allow CloudWatch Alarm to send SNS to another account

I have an SNS topic in account "A" which is a trigger for a Lambda function in the same account. This Lambda function sends a message to a private Slack channel.

This works fine as long as the CloudWatch signal is on the same account (account A).

But I also want to do this from "Account B", but there I get:

{
  "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "actionState": "Failed",
  "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "stateUpdateTimestamp": 1495732611020,
  "publishedMessage": null
}

So how do I allow CloudWatch Alarm ARN to be published to a topic?

The attempt to add a policy fails:

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

I see someone else had the same issue (years ago!) At https://forums.aws.amazon.com/thread.jspa?threadID=143607 but it has never been answered.

Update:

Trying to solve this, now I am trying to use a local SNS theme which then sends it to the remove account. However, I still get:

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

This, with this SNS policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    }
  ]
}

If I manually post to a topic with Post to Topic , I see it reaches the Lambda function, so everything except CloudWatch permissions.

+3


source to share


1 answer


Through trial error, I found this condition was not working. For some reason. Not sure why he didn't see the original account ...

A broader policy made it work:



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    },
    {
      "Sid": "AllowCloudWatchAlarmsToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*"
        }
      }
    }
  ]
}
+2


source






More articles:


All Articles