AWS Cross Account SNS Publish

4
votes

We have two accounts 111111111111 and 222222222222.

Requirement - Account 111111111111 will create a snapshot of a RDS on a daily basis. Once the snapshot is taken, we want account 111111111111 to publish to the SNS topic created in account 222222222222. Once Account 222222222222 receives the notification it runs a Lambda function.

I have attached the following policy to the topic created in account 222222222222

     "Sid":"RestoreRDSEng_topic_publish",
     "Effect":"Allow",
     "Principal":{
        "AWS":"111111111111"
     },
     "Action":"sns:Publish",
     "Resource":"arn:aws:sns:us-east-1:222222222222:RestoreRDSEng",
     "Condition":{
        "StringEquals":{
           "AWS:SourceAccount":"222222222222"
        },

     }
  }

I am receiving the following error when account 111111111111 is trying to publish to 222222222222

*"message": "AuthorizationError: User: arn:aws:sts::************assumed-role/tf-rds_eventhandler/tf-rds_eventhandler is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:xxxxxxxxxxxx:RestoreRDSEng\n\tstatus code: 403, request id: 098f4647-c9ad-51fe-9bc3-17b45deef60e"*

Questions:

  1. Is there anything wrong in this approach?

  2. Should I create a role in account 222222222222 with trusted access to 111111111111?

  3. Any other suggestions would be appreciated.

2
amazon-web-servicesaws-access-policy
Welcome to StackOverflow! So, can your requirement be simplified to "Trigger an AWS Lambda function in Account 2 when an Amazon RDS snapshot is completed in Account 1"? If so, have you considered having Amazon RDS in Account 1 send a notification to an Amazon SNS topic in Account 1, to which an AWS Lambda function in Account 2 is a subscriber? This way, SNS in Account 1 will directly trigger the Lambda function in Account 2. See: Tutorial: Using AWS Lambda with Amazon SNSJohn Rotenstein
Also, a potential use case for Amazon CloudWatch Event Buses! See: Sending and Receiving Events Between AWS AccountsJohn Rotenstein
Thanks for the reply.DaDeem
So My question isDaDeem
1) Can't we do the way I mentioned in my original post?DaDeem

2 Answers

0
votes

The Principal needs to be the service or role in account 11111... that you want to take the action of publishing to the SNS topic. For example:

 "Principal": {
     "Service": "cloudtrail.amazonaws.com"
   }
0
votes

It should be:

    {
      "Sid": "lambda-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:222222222222:RestoreRDSEng"
    }