I get an error in Amazon Simple Notification Service (Amazon SNS). The error happens when I'm using a subnet, and I try to publish my SNS topic from a cross-account Amazon Elastic Compute Cloud (Amazon EC2) instance.
If you receive an authorization error when you call the Publish operation, then complete the steps in the Verify EC2 instance IAM role and SNS topic access policy permissions section.
If you have issues with an SNS topic that's using server-side encryption and you receive a "KMSAccessDenied" error, then complete the steps in the Verify KMS key settings and EC2 IAM role permissions section.
Note: If your EC2 instance can't connect to the internet with an internet gateway, see Why can't my Amazon EC2 instance connect to the internet using an internet gateway?
Verify EC2 instance IAM role and SNS topic access policy permissions
Misconfigured AWS Identity and Access Management (IAM) role permissions for your EC2 instance and Amazon SNS topic access policy can cause the following error:
"An error occurred (AuthorizationError) when calling the Publish operation: User: arn:aws:iam::111122223333:role/cross-acc-ec2-sns-publish-role/i-0123456789f804d is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-2:123456789012:cross-account-ec2-sns."
To resolve this error, see How do I publish to an Amazon SNS topic from a cross-account Amazon EC2 instance using an IAM EC2 role?
Verify KMS key settings and EC2 IAM role permissions
If permissions for the IAM role of your EC2 instance and the AWS Key Management Service (AWS KMS) key policy of your AWS KMS key (KMS key) are incorrect, you can receive the following error:
An error occurred (KMSAccessDenied) when calling the Publish operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Re
quest ID: IDNumber; Proxy: null)
Note: The preceding error occurs only when your SNS topic uses server-side encryption.
To resolve the error, check your KMS key settings and AWS KMS key policy permissions:
1. Confirm that your KMS key is enabled.
2. Confirm that your EC2 instance IAM role is allowed to perform kms:GenerateDataKey* and kms:Decrypt in the AWS KMS key policy. This is the key policy of the KMS key that's used for server-side encryption on your SNS topic. For example:
3. Confirm that kms:GenerateDataKey* and kms:Decrypt permissions are attached to the IAM role of your EC2 instance.
Note: It's a best practice to provide the least privileges needed. Therefore, be sure to replace the Resource value with your KMS Key ARN in the following IAM role policy: