Prerequisites for subscribing Firehose delivery streams to Amazon SNS topics

A standard SNS topic. For more information, see Creating an Amazon SNS topic.

A Firehose delivery stream. For more information, see Creating an Amazon Data Firehose Delivery Stream and Grant Your Application Access to Your Firehose Resources in the Amazon Data Firehose Developer Guide.

An Amazon Identity and Access Management (IAM) role that trusts the Amazon SNS service principal and has permission to write to the delivery stream. You'll enter this role's Amazon Resource Name (ARN) as the SubscriptionRoleARN when you create the subscription. Amazon SNS assumes this role, which allows Amazon SNS to put records in the Firehose delivery stream.

The following example policy shows the recommended permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "firehose:DescribeDeliveryStream",
        "firehose:ListDeliveryStreams",
        "firehose:ListTagsForDeliveryStream",
        "firehose:PutRecord",
        "firehose:PutRecordBatch"
      ],
      "Resource": [
        "arn:aws-cn:firehose:us-east-1:111111111111:deliverystream/firehose-sns-delivery-stream"
      ],
      "Effect": "Allow"
    }
  ]
}

To provide full permission for using Firehose, you can also use the Amazon managed policy AmazonKinesisFirehoseFullAccess. Or, to provide stricter permissions for using Firehose, you can create your own policy. At minimum, the policy must provide permission to run the PutRecord operation on a specific delivery stream.

In all cases, you must also edit the trust relationship to include the Amazon SNS service principal. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

For more information on creating roles, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide.