Grant access to Security Hub for SNS topic in different account

0

We have a CloudWatch Alarm which triggers a SNS topic in a different account. Security Hub wants to check this topic, but fails with the below error visible in CloudTrail logs:

User: arn:aws:sts::012345678912:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-central-1:987654321012:my-topic because no resource-based policy allows the SNS:ListSubscriptionsByTopic action

The topic contains the below access policy statement:

{
  "Sid": "AllowSecurityHubAccess",
  "Effect": "Allow",
  "Principal": {
    "Service": "securityhub.amazonaws.com"
  },
  "Action": [
    "sns:ListSubscriptionsByTopic"
  ],
  "Resource": "*"
}

Any ideas how to fix this?

1 Answer
0

Hi,Did you also considered providing the cross account access to the resource as it seems principle is in another account so you need to create the trust.

answered 2 years ago
  • Well the principal is a service-linked role in this case. AFAIK these don‘t need any trust as same works for Cloudwatch which successfully sends alarm notifications to the mentioned topic in a different account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions