How do I use an IAM role to publish an Amazon SNS topic from a cross-account Amazon EC2 instance?
I want to publish an Amazon Simple Notification Service (Amazon SNS) topic from an Amazon Elastic Compute Cloud (Amazon EC2) instance in another AWS account. I want to use an AWS Identity and Access Management (IAM) role for an EC2 instance that uses a public subnet.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Configure the account with your instance
Complete the following steps:
- Create an IAM policy with permissions to publish to your SNS topic. Example policy:
Note: Replace us-east-1 with your AWS Region and 123456789012 with your account ID.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns" } ] } - Create an IAM role for your instance with a name that's similar to cross-acc-ec2-sns-publish-role. Then, attach the policy to your IAM role.
- Launch an instance in a public subnet with internet access.
Attach the IAM role to your instance
Complete the following steps:
- Open the Amazon EC2 console.
- In the navigation pane, choose Instances.
- Choose your instance, such as cross-acc-ec2-sns-publish-role, and then choose Actions.
- Select Security, and then choose Modify IAM role.
- Select the IAM role that you created, and then choose Save.
Note: To troubleshoot instance internet connection issues, see Why can't my Amazon EC2 instance access the internet through an internet gateway?
Configure the account with your SNS topic
Complete the following steps to create an SNS topic and add permissions to allow the Amazon EC2 IAM role to perform the Publish action:
- Create an SNS topic with a name that's similar to cross-account-ec2-sns.
- Subscribe an endpoint to your topic, and then confirm the subscription
- Open the Amazon SNS console.
- In the navigation pane, choose Topics, and then choose the SNS topic that you want to publish to.
- Choose the Access policy tab.
- Under Details, choose Edit.
- Expand the Access policy section, and then enter the following SNS access policy:
Note: Replace us-east-1 with your Region, 123456789012 with your account ID, and 111122223333 with the IAM user ID.{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:Publish", "SNS:Receive" ], "Resource": "arn:aws:sns:us-east-1: 123456789012:cross-account-ec2-sns", "Condition": { "StringEquals": { "AWS:SourceOwner": "123456789012" } } }, { "Sid": "grant-65864586-publish-and-listsubscriptionsbytopic", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: 111122223333:role/cross-acc-ec2-sns-role" }, "Action": [ "sns:Publish", "sns:ListSubscriptionsByTopic" ], "Resource": "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns" } ] } - Choose Save changes.
Publish the notification from your instance and test the configuration
Complete the following steps:
- Open the Amazon EC2 console with the account that has your instance.
- Connect to your instance. For Windows instances, see Connect to your Windows instance using RDP. For Linux instances, see Connect to your Linux instance using SSH.
- Run the following publish AWS CLI command to run a test query:
Note: Replace us-east-1 with your Region and 123456789012 with your account ID.aws sns publish --topic-arn "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns" --message "test" --region us-east-1
- Topics
- Application Integration
- Language
- English
Relevant content
- asked 6 years ago
- asked 2 months ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 years ago
