AWS Cross Account SNS Publish

Question

AWS Cross Account SNS Publish

12.2k Views Asked by DaDeem At 29 July 2017 at 00:03

We have two accounts 111111111111 and 222222222222.

Requirement - Account 111111111111 will create a snapshot of a RDS on a daily basis. Once the snapshot is taken, we want account 111111111111 to publish to the SNS topic created in account 222222222222. Once Account 222222222222 receives the notification it runs a Lambda function.

I have attached the following policy to the topic created in account 222222222222

     "Sid":"RestoreRDSEng_topic_publish",
     "Effect":"Allow",
     "Principal":{
        "AWS":"111111111111"
     },
     "Action":"sns:Publish",
     "Resource":"arn:aws:sns:us-east-1:222222222222:RestoreRDSEng",
     "Condition":{
        "StringEquals":{
           "AWS:SourceAccount":"222222222222"
        },

     }
  }

I am receiving the following error when account 111111111111 is trying to publish to 222222222222

*"message": "AuthorizationError: User: arn:aws:sts::************assumed-role/tf-rds_eventhandler/tf-rds_eventhandler is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:xxxxxxxxxxxx:RestoreRDSEng\n\tstatus code: 403, request id: 098f4647-c9ad-51fe-9bc3-17b45deef60e"*

Questions:

Is there anything wrong in this approach?
Should I create a role in account 222222222222 with trusted access to 111111111111?
Any other suggestions would be appreciated.

Original Q&A

There are 3 best solutions below

**robwhelan** · Answer 1 · 2019-10-11T20:33:51.137000

robwhelan On 11 October 2019 at 20:33

The Principal needs to be the service or role in account 11111... that you want to take the action of publishing to the SNS topic. For example:

 "Principal": {
     "Service": "cloudtrail.amazonaws.com"
   }

**Abdel Jaidi** · Answer 2 · 2020-07-06T20:51:18.650000

It should be:

    {
      "Sid": "lambda-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:222222222222:RestoreRDSEng"
    }

**Mike Dalrymple** · Answer 3 · 2023-06-09T17:48:36.840000

This is very doable and just requires 2 parts.

First, the SNS topic receiving messages (account 2222-2222-2222) must have a policy that permits "sns:Publish" from the other account (1111-1111-1111).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-1:222222222222:RestoreRDSEng"
    }
  ]
}

Second, whatever Role you're using in 1111-1111-1111 to do the publishing must have a Policy that permits "sns:Publish" to your desired topic. This is a case where I'm generally OK using the * resource but you can also restrict it to the ARN of the topic in the other account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sns:Publish",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        }
    ]
}

AWS Cross Account SNS Publish

There are 3 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-ACCESS-POLICY

Trending Questions

Popular # Hahtags

Popular Questions