Permissions for the Amazon SNS Topic
This topic describes how to configure Amazon Config to deliver Amazon SNS topics owned by a different account. Amazon Config must have the required permissions to send notifications to an Amazon SNS topic. For same-account setup, when the Amazon Config console creates an Amazon SNS topic or you choose an Amazon SNS topic from your own account, Amazon Config makes sure that the Amazon SNS topic includes the required permissions and follows security best practices.
Note
Amazon Config currently supports only access in the same Region and across accounts. SNS topics used for remediation Amazon Systems Manager (SSM) documents or for the recorder delivery channel cannot be cross-Region.
Contents
Required Permissions for the Amazon SNS Topic When Using IAM Roles
You can attach a permissions policy to the Amazon SNS topic owned by a different account. If you want to use an Amazon SNS topic from another account, make sure to attach the following policy to the existing Amazon SNS topic.
{ "Id": "Policy_ID", "Statement": [ { "Sid": "AWSConfigSNSPolicy", "Action": [ "sns:Publish" ], "Effect": "Allow", "Resource": "arn:aws:sns:
region
:account-id
:myTopic
", "Principal": { "AWS": [ "account-id1
", "account-id2
", "account-id3
" ] } } ] }
For the Resource
key, account-id
is the Amazon
account number of the topic owner. For account-id1
,
account-id2
, and account-id3
, use the
Amazon Web Services accounts that will send data to an Amazon SNS topic. You can substitute appropriate values
for region
and myTopic
.
When Amazon Config sends a notification to an Amazon SNS topic, it first attempts to use the IAM role,
but this attempt fails if the role or Amazon Web Services account does not have permission to publish to the
topic. In this event, Amazon Config sends the notification again, this time as an Amazon Config service
principal name (SPN). Before the publication can succeed, the access policy for the topic must
grant sns:Publish
access to the config.amazonaws.com
principal name.
You must attach an access policy, described in the next section, to the Amazon SNS topic to grant
Amazon Config access to the Amazon SNS topic if the IAM role does not have permission to publish to the
topic.
Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles
The Amazon Config service-linked role does not have permission to access the Amazon SNS topic. So, if you set up Amazon Config using a service-linked role (SLR), Amazon Config will send information as the Amazon Config service principal instead. You will need to attach an access policy, mentioned below, to the Amazon SNS topic to grant Amazon Config access to send information to the Amazon SNS topic.
For same-account setup, when the Amazon SNS topic and SLR are in the same account and the Amazon SNS
policy grants the SLR "sns:Publish
" permission, you do not need to use the Amazon Config
SPN. The permissions policy below and security best practice recommendations are for cross-account
setup.
Granting Amazon Config access to the Amazon SNS topic.
This policy allows Amazon Config to send a notification to an Amazon SNS topic. To grant Amazon Config access to the Amazon SNS topic from another account, you will need to attach the following permissions policy.
Note
As a security best practice, it is strongly recommended to make
sure Amazon Config is accessing resources on behalf of expected users only by restricting access to the
accounts listed in AWS:SourceAccount
condition.
{ "Id": "Policy_ID", "Statement": [ { "Sid": "AWSConfigSNSPolicy", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:
region
:account-id
:myTopic
", "Condition" : { "StringEquals": { "AWS:SourceAccount": [ "account-id1
", "account-id2
", "account-id3
" ] } } } ] }
For the Resource
key, account-id
is the Amazon
account number of the topic owner. For account-id1
,
account-id2
, and account-id3
, use the
Amazon Web Services accounts that will send data to an Amazon SNS topic. You can substitute appropriate values
for region
and myTopic
.
You can use the AWS:SourceAccount
condition in the previous Amazon SNS topic
policy to restrict the Amazon Config service principal name (SPN) to interact only with the Amazon SNS topic
when performing operations on behalf of specific accounts.
Amazon Config also supports the AWS:SourceArn
condition which restricts the Amazon Config
service principal name (SPN) to only interact with the S3 bucket when performing operations on
behalf of specific Amazon Config delivery channels. When using the Amazon Config service principal name (SPN),
the AWS:SourceArn
property will always be set to
arn:aws:config:sourceRegion:sourceAccountID:*
where sourceRegion
is the Region of the delivery channel and sourceAccountID
is the ID of the
account containing the delivery channel. For more information about Amazon Config delivery channels,
see Managing the Delivery
Channel. For example, add the following condition to restrict the Amazon Config service
principal name (SPN) to interact with your S3 bucket only on behalf of a delivery channel in
the us-east-1
Region in the account 123456789012
: "ArnLike":
{"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}
.
Troubleshooting for the Amazon SNS Topic
Amazon Config must have permissions to send notifications to an Amazon SNS topic. If an Amazon SNS topic
cannot receive notifications, verify that the IAM role that Amazon Config was assuming has the
required sns:Publish
permissions.