Amazon SNS topic policy for CloudTrail - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon SNS topic policy for CloudTrail

To send notifications to an SNS topic, CloudTrail must have the required permissions. CloudTrail automatically attaches the required permissions to the topic when you create an Amazon SNS topic as part of creating or updating a trail in the CloudTrail console.

Important

As a security best practice, to restrict access to your SNS topic, we strongly recommend that after you create or update a trail to send SNS notifications, you manually edit the IAM policy that is attached to the SNS topic to add condition keys. For more information, see Security best practice for SNS topic policy in this topic.

CloudTrail adds the following statement to the policy for you with the following fields:

  • The allowed SIDs.

  • The service principal name for CloudTrail.

  • The SNS topic, including Region, account ID, and topic name.

The following policy allows CloudTrail to send notifications about log file delivery from supported Regions. For more information, see CloudTrail supported Regions. This is the default policy that is attached to a new or existing SNS topic policy when you create or update a trail, and choose to enable SNS notifications.

SNS topic policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailSNSPolicy20131101", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:SNSTopicOwnerAccountId:SNSTopicName" } ] }

To use an Amazon KMS-encrypted Amazon SNS topic to send notifications, you must also enable compatibility between the event source (CloudTrail) and the encrypted topic by adding the following statement to the policy of the Amazon KMS key.

KMS key policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "*" } ] }

For more information, see Enable Compatibility between Event Sources from Amazon Services and Encrypted Topics.

Security best practice for SNS topic policy

By default, the IAM policy statement that CloudTrail attaches to your Amazon SNS topic allows the CloudTrail service principal to publish to an SNS topic, identified by an ARN. To help prevent an attacker from gaining access to your SNS topic, and sending notifications on behalf of CloudTrail to topic recipients, manually edit your CloudTrail SNS topic policy to add an aws:SourceArn condition key to the policy statement attached by CloudTrail. The value of this key is the ARN of the trail, or an array of trail ARNs that are using the SNS topic. Because it includes both the specific trail ID and the ID of the account that owns the trail, it restricts SNS topic access to only those accounts that have permission to manage the trail. Before you add condition keys to your SNS topic policy, get the SNS topic name from your trail's settings in the CloudTrail console.

The aws:SourceAccount condition key is also supported, but is not recommended.

To add the aws:SourceArn condition key to your SNS topic policy
  1. Open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. Choose the SNS topic that is shown in your trail settings, and then choose Edit.

  4. Expand Access policy.

  5. In the Access policy JSON editor, look for a block that resembles the following example.

    { "Sid": "AWSCloudTrailSNSPolicy20150319", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-west-2:111122223333:aws-cloudtrail-logs-111122223333-61bbe496" }
  6. Add a new block for a condition, aws:SourceArn, as shown in the following example. The value of aws:SourceArn is the ARN of the trail about which you are sending notifications to SNS.

    { "Sid": "AWSCloudTrailSNSPolicy20150319", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-west-2:111122223333:aws-cloudtrail-logs-111122223333-61bbe496", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:cloudtrail:us-west-2:123456789012:trail/Trail3" } } }
  7. When you are finished editing the SNS topic policy, choose Save changes.

To add the aws:SourceAccount condition key to your SNS topic policy
  1. Open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. Choose the SNS topic that is shown in your trail settings, and then choose Edit.

  4. Expand Access policy.

  5. In the Access policy JSON editor, look for a block that resembles the following example.

    { "Sid": "AWSCloudTrailSNSPolicy20150319", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-west-2:111122223333:aws-cloudtrail-logs-111122223333-61bbe496" }
  6. Add a new block for a condition, aws:SourceAccount, as shown in the following example. The value of aws:SourceAccount is the ID of the account that owns the CloudTrail trail. This example restricts access to the SNS topic to only those users who can sign in to the Amazon account 123456789012.

    { "Sid": "AWSCloudTrailSNSPolicy20150319", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-west-2:111122223333:aws-cloudtrail-logs-111122223333-61bbe496", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } } }
  7. When you are finished editing the SNS topic policy, choose Save changes.

Specifying an existing topic for sending notifications

You can manually add the permissions for an Amazon SNS topic to your topic policy in the Amazon SNS console and then specify the topic in the CloudTrail console.

To manually update an SNS topic policy
  1. Open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home.

  2. Choose Topics and then choose the topic.

  3. Choose Edit and then scroll down to Access policy.

  4. Add the statement from SNS topic policy with the appropriate values for the Region, account ID, and topic name.

  5. If your topic is an encrypted topic, you must allow CloudTrail to have kms:GenerateDataKey* and the kms:Decrypt permissions. For more information, see Encrypted SNS topic KMS key policy.

  6. Choose Save changes.

  7. Return to the CloudTrail console and specify the topic for the trail.

Troubleshooting the SNS topic policy

The following sections describe how to troubleshoot the SNS topic policy.

CloudTrail is not sending notifications for a Region

When you create a new topic as part of creating or updating a trail, CloudTrail attaches the required permissions to your topic. The topic policy uses the service principal name, "cloudtrail.amazonaws.com", which allows CloudTrail to send notifications for all Regions.

If CloudTrail is not sending notifications for a Region, it's possible that your topic has an older policy that specifies CloudTrail account IDs for each Region. This policy gives CloudTrail permission to send notifications only for the Regions specified.

The following topic policy allows CloudTrail to send notifications for the specified nine Regions only:

Example topic policy with account IDs
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AWSCloudTrailSNSPolicy20131101", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::903692715234:root", "arn:aws:iam::035351147821:root", "arn:aws:iam::859597730677:root", "arn:aws:iam::814480443879:root", "arn:aws:iam::216624486486:root", "arn:aws:iam::086441151436:root", "arn:aws:iam::388731089494:root", "arn:aws:iam::284668455005:root", "arn:aws:iam::113285607260:root" ]}, "Action": "SNS:Publish", "Resource": "aws:arn:sns:us-east-1:123456789012:myTopic" }] }

This policy uses a permission based on individual CloudTrail account IDs. To deliver logs for a new Region, you must manually update the policy to include the CloudTrail account ID for that Region. For example, because CloudTrail added support for the US East (Ohio) Region, you must update the policy to add the account ID ARN for that Region: "arn:aws:iam::475085895292:root".

As a best practice, update the policy to use a permission with the CloudTrail service principal. To do this, replace the account ID ARNs with the service principal name: "cloudtrail.amazonaws.com".

This gives CloudTrail permission to send notifications for current and new Regions. The following is an updated version of the previous policy:

Example topic policy with service principal name
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AWSCloudTrailSNSPolicy20131101", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "SNS:Publish", "Resource": "arn:aws-cn:sns:us-west-2:123456789012:myTopic" }] }

Verify that the policy has the correct values:

  • In the Resource field, specify the account number of the topic owner. For topics that you create, specify your account number.

  • Specify the appropriate values for the Region and SNS topic name.

CloudTrail is not sending notifications for a member account in an organization

When a member account with an Amazon Organizations organization trail is not sending Amazon SNS notifications, there could be an issue with the configuration of the SNS topic policy. CloudTrail creates organization trails in member accounts even if a resource validation fails, for example, the organization trail's SNS topic does not include all member account IDs. If the SNS topic policy is incorrect, an authorization failure occurs.

To check whether a trail's SNS topic policy has an authorization failure:

  • From the CloudTrail console, check the trail's details page. If there's an authorization failure, the details page includes a warning SNS authorization failed and indicates to fix the SNS topic policy.

  • From the Amazon CLI, run the get-trail-status command. If there's an authorization failure, the command output includes the LastNotificationError field with a value of AuthorizationError.

Additional resources

For more information about SNS topics and subscribing to them, see the Amazon Simple Notification Service Developer Guide.