We have two accounts 111111111111 and 222222222222.
Requirement - Account 111111111111 will create a snapshot of a RDS on a daily basis. Once the snapshot is taken, we want account 111111111111 to publish to the SNS topic created in account 222222222222. Once Account 222222222222 receives the notification it runs a Lambda function.
I have attached the following policy to the topic created in account 222222222222
"Sid":"RestoreRDSEng_topic_publish",
"Effect":"Allow",
"Principal":{
"AWS":"111111111111"
},
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:222222222222:RestoreRDSEng",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"222222222222"
},
}
}
I am receiving the following error when account 111111111111 is trying to publish to 222222222222
*"message": "AuthorizationError: User: arn:aws:sts::************assumed-role/tf-rds_eventhandler/tf-rds_eventhandler is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:xxxxxxxxxxxx:RestoreRDSEng\n\tstatus code: 403, request id: 098f4647-c9ad-51fe-9bc3-17b45deef60e"*
Questions:
Is there anything wrong in this approach?
Should I create a role in account 222222222222 with trusted access to 111111111111?
Any other suggestions would be appreciated.
This is very doable and just requires 2 parts.
First, the SNS topic receiving messages (account 2222-2222-2222) must have a policy that permits "sns:Publish" from the other account (1111-1111-1111).
Second, whatever Role you're using in 1111-1111-1111 to do the publishing must have a Policy that permits "sns:Publish" to your desired topic. This is a case where I'm generally OK using the
*resource but you can also restrict it to the ARN of the topic in the other account.