How do I invoke a cross-account Amazon SNS topic with a CloudWatch alarm?

3 minutos de lectura
0

I want to invoke an Amazon Simple Notification Service (Amazon SNS) topic with an Amazon CloudWatch alarm across different AWS accounts.

Resolution

Note: The following resolution uses two accounts. Account A is used to create the CloudWatch alarm and account B is used to create an SNS topic.

Create an SNS topic in account B

Complete the following steps:

  1. Open the Amazon SNS console.
  2. In the navigation pane, choose Topics, and then choose Create topic.
  3. Choose Standard for the topic type, and then create a name for the topic.
  4. Choose Create topic, and then copy the ARN of the topic.
  5. In the navigation pane, choose Subscriptions, and then choose Create subscription.
  6. Add the topic's ARN in the Topic ARN section, and then choose Email as the protocol.
  7. Choose Create subscription, and then check your email to confirm the subscription.

Create a CloudWatch alarm in account A

Complete the following steps:

  1. Open the CloudWatch console.
  2. In the navigation pane, choose Alarms, and then choose Create alarm.
  3. Select your metric, and then provide details for the threshold and comparison parameters.
  4. From Configure Actions, under Notifications, choose Use topic ARN to notify other accounts, and then enter the topic ARN from Account B.
  5. Create a name for the alarm, and then choose Create alarm.

Update the access policy of the SNS topic in account B

To update the access policy of the SNS topic in account B to allow the alarm to publish messages, complete the following steps:

  1. Open the Amazon SNS console.

  2. In the navigation pane, choose Topics, and then select the topic.

  3. Choose Edit, and then add the following to the policy:

    {  "Version": "2008-10-17",
      "Id": "default_policy_ID",
      "Statement": [
        {
          "Sid": "default_statement_ID",
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          },
          "Action": [
            "SNS:Publish"
          ],
          "Resource": "example-topic-arn-account-b",
          "Condition": {
            "ArnLike": {
              "aws:SourceArn": "arn:aws:cloudwatch:example-region:111122223333:alarm:*"
            }
          }
        }
      ]
    }

    Note: In the preceding policy, replace example values with your values.

Test the alarm

To test the alarm, either change the alarm threshold based on the metric data points, or manually change the alarm state. When you change the alarm threshold or alarm state, you receive an email notification.

Related information

Allow any CloudWatch alarm to publish to a topic in a different account

Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

SetAlarmState

2 comentarios

Please note that the example policy given in this post has some syntax errors. It's missing an asterisk in the Principal section and a comma where the Ressource is defined.

It should look like this:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "example-topic-arn-account-b",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:cloudwatch:example-region:111122223333:alarm:"
        }
      }
    }
  ]
}

Either the syntax has changed since this was originally posted, or someone did not double-check if the example policy actually works. ;D

respondido hace 7 meses

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERADOR
respondido hace 7 meses