AWS Cloudwatch alarm from Account A unable to publish to SNS topic in Account B

1
votes

Just when I thought I had cross org permissions sorted I am stuck with CloudWatch alarms and SNS. Have tried several options but am not able to get the access policy right on the SNS topic. Cloudwatch and SNS topic are in the same region but different accounts in the same org. Surely I don't need lambda in the middle to manage this, AWS have cross org support for CloudWatch now. Few options below I have tried.

SNS Topic is in account A = 1111111111 Cloudwatch alarm is in account B = 22222222

Option 1 - Account B has publish rights to the SNS topic

{
    "Sid": "__console_pub_0",
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111111111111:root",
        "arn:aws:iam::222222222222:root"
      ]
    },
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
  }

Option 2 - Gave the Cloudwatch service access to publish to the SNS topic

 {
        "Sid": "Allow_Publish_Alarms",
        "Effect": "Allow",
        "Principal":
        {
            "Service": [
                "cloudwatch.amazonaws.com"
            ]
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
    }

Option 3 - Cross org permissions, I updated the IAM role in account B too

 {
       "Sid": "CrossOrgPublish01",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
       },
       "Action": "SNS:Publish",
       "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
       "Condition": {
          "ArnLike": {
             "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
          }
       }
    }
2
amazon-web-servicesamazon-cloudwatchamazon-sns

2 Answers

2
votes

Option 3 is correct. However, this is not IAM role in Acc B. It should be added as a statement in a topic policy of Acc A.

Assuming you have a default topic policy in Acc A, after adding the new statement, you would have:

SNS topic policy in ACC A

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "111111111111"
        }
      }
    },       
    {
       "Sid": "CrossOrgPublish01",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
       },
       "Action": "sns:Publish",
       "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
       "Condition": {
          "ArnLike": {
             "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
          }
       }
    }

  ]
}
1
votes

Option 3 should work as per the AWS documentation but you said they're in the same region.

In this they're different regions. One is us-east-1 one is us-east-2. It is important for these to share the same region.

Also to validate option 3 should be an SNS topic policy, not an IAM user or role.

To modify this, go to the SNS topic in the console, select edit, then add to the statement in the "Access Policy" section.