Allow CloudWatch Alarm to send SNS to another account
I have an SNS topic in account "A" which is a trigger for a Lambda function in the same account. This Lambda function sends a message to a private Slack channel.
This works fine as long as the CloudWatch signal is on the same account (account A).
But I also want to do this from "Account B", but there I get:
{
"error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
"actionState": "Failed",
"notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
"stateUpdateTimestamp": 1495732611020,
"publishedMessage": null
}
So how do I allow CloudWatch Alarm ARN to be published to a topic?
The attempt to add a policy fails:
Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)
I see someone else had the same issue (years ago!) At https://forums.aws.amazon.com/thread.jspa?threadID=143607 but it has never been answered.
Update:
Trying to solve this, now I am trying to use a local SNS theme which then sends it to the remove account. However, I still get:
"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
This, with this SNS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaAccountToSubscribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
},
"Action": [
"sns:Subscribe",
"sns:Receive"
],
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
},
{
"Sid": "AllowLocalAccountToPublish",
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "LOCAL_ACCOUNT"
}
}
}
]
}
If I manually post to a topic with Post to Topic , I see it reaches the Lambda function, so everything except CloudWatch permissions.
source to share
Through trial error, I found this condition was not working. For some reason. Not sure why he didn't see the original account ...
A broader policy made it work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaAccountToSubscribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
},
"Action": [
"sns:Subscribe",
"sns:Receive"
],
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
},
{
"Sid": "AllowLocalAccountToPublish",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "LOCAL_ACCOUNT"
}
}
},
{
"Sid": "AllowCloudWatchAlarmsToPublish",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*"
}
}
}
]
}
source to share