Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allowing CloudWatch Alarm to send to SNS in other account

Tags:

amazon-sns

amazon-cloudwatch

I have a SNS topic in account "A", which is a trigger of a Lambda function in that same account. This Lambda function sends a message to a private Slack channel.

This works fine, as long as the CloudWatch alarm is in the same account (Account A).

But I also want to do this from "Account B", but there I get:

{
  "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "actionState": "Failed",
  "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "stateUpdateTimestamp": 1495732611020,
  "publishedMessage": null
}

So how do I allow the CloudWatch Alarm ARN access to publish to the topic?

Trying to add the policy fails with:

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

I see that someone else have/had the same problem (years ago!) at https://forums.aws.amazon.com/thread.jspa?threadID=143607, but it was never answered.

Update:

Trying to solve this, I'm now trying to use a local SNS topic, which then sends this to the remove account. However, I'm still getting:

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

This, with this SNS policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    }
  ]
}

If I manually send a message to the topic with the Publish to topic, I can see that it reaches the Lambda function, so everything except the CloudWatch access rights.

like image 228
Fransurbo Avatar asked May 25 '17 17:05

Fransurbo

People also ask

How do I send an email from my CloudWatch alarm?

Amazon CloudWatch uses Amazon SNS to send email. First, create and subscribe to an SNS topic. When you create a CloudWatch alarm, you can add this SNS topic to send an email notification when the alarm changes state. For more information, see the Amazon Simple Notification Service Getting Started Guide.

Why didn't ti receive SNS notification for my CloudWatch alarm trigger?

To determine why you're not receiving SNS notifications, check the history of the CloudWatch alarm to find the status of the trigger action. SNS restricts the sources that can publish messages to the topic using access policies.

Can CloudWatch send notifications?

You can configure CloudWatch Logs to send a notification whenever an alarm is triggered for CloudTrail. Doing so enables you to respond quickly to critical operational events captured in CloudTrail events and detected by CloudWatch Logs. CloudWatch uses Amazon Simple Notification Service (SNS) to send email.

How do I enable CloudWatch on SNS?

To enable and view CloudWatch Logs for your SMS messagesSign in to the Amazon SNS console . In the console menu, set the region selector to a region that supports SMS messaging. On the navigation panel, choose Text messaging (SMS).

Which Amazon service can you use to send immediate email alerts based on CloudWatch alarms?

Using Amazon CloudWatch alarms, you can set up metric thresholds and send alerts to Amazon Simple Notification Service (SNS). SNS can send notifications using e-mail, HTTP(S) endpoints, and Short Message Service (SMS) messages to mobile phones, and it can even trigger a Lambda function.

1 Answers

By means of trial-and-error, I discovered it was the Condition that didn't work. For some reason. Not sure why it didn't see the source account...

A more extensive policy made it work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    },
    {
      "Sid": "AllowCloudWatchAlarmsToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*"
        }
      }
    }
  ]
}
like image 179
Fransurbo Avatar answered Sep 27 '22 21:09

Fransurbo
Sign in to Comment

Related questions

AuthorizationError when confirming SNS subscription over HTTP
Publish AWS SNS message to Pagerduty
AWS Lambda & SNS: Invoke Lambda cross-region
How to limit the consuming rate from a topic?
How to debug issues with Amazon SQS subscription to SNS
How do I check whether a mobile device has already been registered
AWS CodeCommit: Repository Notifications vs Repository Triggers
Both "Delivery" and "Bounce" SNS Notifications after sending via AWS SES
Publish message from SNS to kinesis
S3 Event -> Lambda vs S3->SNS->Lambda
AWS SES S3 process inbound email
How Publish SNS message in C# Lambda Core
App connected to FCM not receiving notification from AWS SNS
SNS Mobile push notifications extremely confused
Subscribe a sqs queue to a sns topic that is in a different account, using aws cdk(typescript)
Amazon Web Services mobile hub SNS push for iOS
Is the fanout pattern using AWS SNS ans SQS reliable?
How you Reference the function ARN of a Function (Lambda) in serverless.yml file?
Customizing Amazon SNS email notifications
Invoke Lambda using SNS from Outside Account

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!