Configuring Amazon SNS topics for Change Manager notifications - Amazon Systems Manager
Task 1: Create and subscribe to an Amazon SNS topicTask 2: Update the Amazon SNS access policyTask 3: (Optional) Update the Amazon Key Management Service access policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring Amazon SNS topics for Change Manager notifications

You can configure Change Manager, a capability of Amazon Systems Manager, to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic for events related to change requests and change templates. Complete the following tasks to receive notifications for the Change Manager events you add a topic to.

Task 1: Create and subscribe to an Amazon SNS topic

First, you must create and subscribe to an Amazon SNS topic. For more information, see Creating a Amazon SNS topic and Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide.

Note

To receive notifications, you must specify the Amazon Resource Name (ARN) of an Amazon SNS topic that is in the same Amazon Web Services Region and Amazon Web Services account as the delegated administrator account.

Task 2: Update the Amazon SNS access policy

Use the following procedure to update the Amazon SNS access policy so that Systems Manager can publish Change Manager notifications to the Amazon SNS topic you created in Task 1. Without completing this task, Change Manager doesn't have permission to send notifications for the events you add the topic for.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. Choose the topic you created in Task 1, and then choose Edit.

  4. Expand Access policy.

  5. Add and update the following Sid block to the existing policy and replace each user input placeholder with your own information .

    {
    "Sid": "Allow Change Manager to publish to this topic",
    "Effect": "Allow",
    "Principal": {
        "Service": "ssm.amazonaws.com.cn"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws-cn:sns:region:account-id:topic-name",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": [
                "account-id"
            ]
        }
    }
}

    Enter this block after the existing Sid block, and replace region, account-id, and topic-name with the appropriate values for the topic you created.

  6. Choose Save changes.

The system now sends notifications to the Amazon SNS topic when the event type you add to topic for occurs.

Important

If you configured the Amazon SNS topic with an Amazon Key Management Service (Amazon KMS) server-side encryption key, then you must complete Task 3.

Task 3: (Optional) Update the Amazon Key Management Service access policy

If you turned on Amazon Key Management Service (Amazon KMS) server-side encryption for your Amazon SNS topic, then you must also update the access policy of the Amazon KMS key you chose when you configured the topic. Use the following procedure to update the access policy so that Systems Manager can publish Change Manager approval notifications to the Amazon SNS topic you created in Task 1.

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. In the navigation pane, choose Customer managed keys.

  3. Choose the ID of the customer managed key you chose when you created the topic.

  4. In the Key policy section, choose Switch to policy view.

  5. Choose Edit.

  6. Enter the following Sid block after one of the existing Sid blocks in the existing policy. Replace each user input placeholder with your own information.

    {
    "Sid": "Allow Change Manager to decrypt the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "ssm.amazonaws.com.cn"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "arn:aws-cn:kms:region:account-id:key/key-id",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": [
                "account-id"
            ]
        }
    }
}

  7. Now enter the following Sid block after one of the existing Sid blocks in the resource policy to help prevent the cross-service confused deputy problem.

    This block uses the aws:SourceArn and aws:SourceAccount global condition context keys to limit the permissions that Systems Manager gives another service to the resource.

    Replace each user input placeholder with your own information.

    {
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Configure confused deputy protection for Amazon KMS keys used in Amazon SNS topic when called from Systems Manager",
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com.cn"
      },
      "Action": [
        "sns:Publish"
      ],
      "Resource": "arn:aws-cn:sns:region:account-id:topic-name",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws-cn:ssm:region:account-id:*"
        },
        "StringEquals": {
          "aws:SourceAccount": "account-id"
        }
      }
    }
  ]
}

  8. Choose Save changes.