What SNS topic access policy to use for a CloudFormation CustomResource to post messages to a SNS topic in different AWS account?

Question

I have a SNS topic in ACCOUNT1 , i would like to recieve notifications from any other AWS account as far as it is a Custom Resource message. What condition can I add in SNS topic access policy to restrict messages from CloudFormation Custom REsource Only?
I'd like to have a policy that can allow messages with specific string in it rather than limiting principal to specific AWS accounts

Answer

Hello,

The access policy to use for a CloudFormation CustomResource to post messages to a SNS topic in another  AWS account, you’ll need to set up cross-account permissions. You will create a create an SNS topic access policy in the AWS account where the SNS topic resides( the “ destination” account) and grant the necessary permissions to the AWS account where the CloudFormation custom resource is located( the “source” account)

[+] https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html

To add the SNS topic access policy that allows messages with a specific string, you can use the ‘aws:sourceArn’ condition key along with string comparison condtions in the SNS topic’s access policy. This will allow you to filter messages based on their source ARN, which can be set by the publisher of the message.

An example:

[+] https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html

What SNS topic access policy to use for a CloudFormation CustomResource to post messages to a SNS topic in different AWS account?

関連するコンテンツ