AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I allow AWS accounts in my organization to publish messages to an Amazon SNS topic in my account?
I want an Amazon Simple Notification Service (Amazon SNS) topic to accept messages from any AWS account in my organization in AWS Organizations.
Short description
Configure the Amazon SNS topic's access policy to allow any account in your organization to publish messages to the topic. In the access policy, include the global condition key aws:PrincipalOrgID, and then specify your organization's ID.
Resolution
Complete the following steps:
- Find your organization's ID in the Organizations console. For more information, see Viewing the details of an organization from the management account.
- Create a topic in the Amazon SNS console. Note the Amazon Resource Name (ARN) of your new topic.
- Open the Amazon SNS console.
- In the navigation pane, choose Topics.
- Choose the topic that you created in step 2, and then choose Edit.
- On the Edit page, expand Access policy -optional.
- Paste the following example policy into the JSON editor, and then choose Save changes.
Important: Replace snsTopicArn with the topic's ARN. Then, replace myOrgId with your organization's ID.
Tip: To allow accounts in your organization to perform more Amazon SNS API actions such as GetTopicAttributes, add actions under "Action" in the policy.{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "allow-publish-from-organization-accounts", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "sns:Publish" ], "Resource": "snsTopicArn", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "myOrgId" } } } ] } - Subscribe your email address to the SNS topic to test. When you create the subscription, make sure that you specify your topic's ARN.
- In your email, find the subscription confirmation message from AWS Notifications and confirm the subscription.
- Use any AWS account in your organization to publish a message to the SNS account. In the publish request, make sure that you specify the topic's ARN.
The published message appears in your email.
Related information
AWS global condition context keys
Example cases for Amazon SNS access control
- Argomenti
- Application Integration
- Lingua
- English
UPDATE: It's not the Principal that's the problem it's the Condition. Without the condition I've set the Principal to "Service": "cloudwatch.amazonaws.com" and my CloudWatch alarm is able to publish to the SNS topic. When I add the condition it stops working. I am doing this via CloudFormation so wondering if my code is not right?
RootAccountUsageSNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
...
...
Condition:
StringEquals:
'aws:PrincipalOrgID': !Sub ${OrganizationID}
Struggling to get this working so that my CloudWatch alarm can publish to an SNS topic in a different account. I have tried:
"Principal": {
"AWS": "*"
}
"Principal": "*"
and
"Principal": {
"Service": "cloudwatch.amazonaws.com"
}
Each time I get:
AWS Internal is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:123456789012:RootAccountUsageSNSTopic because no resource-based policy allows the SNS:Publish action
With
"Principal": {
"AWS": "*"
}
I was able to publish to the SNS topic from a different account using AWS CLI, it just doesn't work when CloudWatch tried to publish to it.