Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Grant access to Security Hub for SNS topic in different account

0

We have a CloudWatch Alarm which triggers a SNS topic in a different account. Security Hub wants to check this topic, but fails with the below error visible in CloudTrail logs:

User: arn:aws:sts::012345678912:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-central-1:987654321012:my-topic because no resource-based policy allows the SNS:ListSubscriptionsByTopic action

The topic contains the below access policy statement:

{
  "Sid": "AllowSecurityHubAccess",
  "Effect": "Allow",
  "Principal": {
    "Service": "securityhub.amazonaws.com"
  },
  "Action": [
    "sns:ListSubscriptionsByTopic"
  ],
  "Resource": "*"
}

Any ideas how to fix this?

Themen
Sicherheit, Identität & KonformitätAnwendungsintegration
Tags
AWS Sicherheits-HubAmazon Simple Notification Service (SNS)
Sprache
English
Jonas Koenig
gefragt vor 2 Jahren511 Aufrufe
1 Antwort
0

Hi,Did you also considered providing the cross account access to the resource as it seems principle is in another account so you need to create the trust.

Iknownothing
beantwortet vor 2 Jahren
  • Jonas Koenig
    vor 2 Jahren

    Well the principal is a service-linked role in this case. AFAIK these don‘t need any trust as same works for Cloudwatch which successfully sends alarm notifications to the mentioned topic in a different account.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt