We have a CloudWatch Alarm which triggers a SNS topic in a different account. Security Hub wants to check this topic, but fails with the below error visible in CloudTrail logs:
User: arn:aws:sts::012345678912:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-central-1:987654321012:my-topic because no resource-based policy allows the SNS:ListSubscriptionsByTopic action
The topic contains the below access policy statement:
{
"Sid": "AllowSecurityHubAccess",
"Effect": "Allow",
"Principal": {
"Service": "securityhub.amazonaws.com"
},
"Action": [
"sns:ListSubscriptionsByTopic"
],
"Resource": "*"
}
Any ideas how to fix this?
Well the principal is a service-linked role in this case. AFAIK these don‘t need any trust as same works for Cloudwatch which successfully sends alarm notifications to the mentioned topic in a different account.