Prerequisites for subscribing Firehose delivery streams to Amazon SNS topics - Amazon Simple Notification Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites for subscribing Firehose delivery streams to Amazon SNS topics

To subscribe an Amazon Data Firehose delivery stream to an SNS topic, your Amazon Web Services account must have:

  • A standard SNS topic. For more information, see Creating an Amazon SNS topic.

  • A Firehose delivery stream. For more information, see Creating an Amazon Data Firehose Delivery Stream and Grant Your Application Access to Your Firehose Resources in the Amazon Data Firehose Developer Guide.

  • An Amazon Identity and Access Management (IAM) role that trusts the Amazon SNS service principal and has permission to write to the delivery stream. You'll enter this role's Amazon Resource Name (ARN) as the SubscriptionRoleARN when you create the subscription. Amazon SNS assumes this role, which allows Amazon SNS to put records in the Firehose delivery stream.

    The following example policy shows the recommended permissions:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": [ "arn:aws-cn:firehose:us-east-1:111111111111:deliverystream/firehose-sns-delivery-stream" ], "Effect": "Allow" } ] }

    To provide full permission for using Firehose, you can also use the Amazon managed policy AmazonKinesisFirehoseFullAccess. Or, to provide stricter permissions for using Firehose, you can create your own policy. At minimum, the policy must provide permission to run the PutRecord operation on a specific delivery stream.

    In all cases, you must also edit the trust relationship to include the Amazon SNS service principal. For example:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

    For more information on creating roles, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide.

After you've completed these requirements, you can subscribe the delivery stream to the SNS topic.