Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications

Question

Hi all,

To receive updates on AWS Managed WAF rules, I need to set up a SNS subscription, which sounds simpler as it is.

**Situation:**  
* I need to subscribe to the AWS managed SNS topic "arn:aws:sns:us-east-1:248400274283:aws-managed-waf-rule-notifications"
* Our AWS Account is restricted to use services only in Europe (eu-central-1)
* SNS allows only subscriptions to a topic from same region. That means, I am technically not allowed to set up a SNS subscription in eu-central-1 for a topic in us-east-1

**Any input on how to get this solved is very much welcomed! Maybe I am overseeing a regional SNS topic for AWS Managed WAF rules?**

**What I tried:**  
* I set up an Amazon SQS queue in eu-central-1
* I subscribed to the SNS topic in us-east-1 (yes, you can subscribe a SQS queue from different region, but not a SNS subscription...)
* I set up a new SNS topic in eu-central-1 and subscribed to this new SNS topic (email notification)
* I set up an EventBridge Pipe to connect the SQS queue in eu-central-1 with the SNS topic in eu-central-1

With this solution I can subscribe to a SNS topic from different region, but the formatting of sent email is no good user experience:
**Expected:**  
* Subject: Test Subject
* Body: Body Message

**Actual Output:**  
* Subject: AWS Notification Message
* Body: {"messageId":"cc649599-66c9-47bd-a298-516336be9749","receiptHandle":"AQEBJ4piIsyDXEgL4OJAJ1i86ATWqq6DdiopctAH8SpeWeayNMePCxZZbEIxsrdgS3CYGYMjDL71RttBRu71SAoaD2aClBmg1L8jxMoMM/bzvTQN75PxweT7By/g5rb5AGgY35k0jMNFPDFcAhEHHJ7lgJkO2UtzS2xz7A9ZXru8MEhZETFDvUjYy2swmUdnU2CLlWdpMaCzSOQu6PVPBmJOBJjEWzRdjq0Euk7AmEw7s3++zHULCBukBKXM6jhN337sAxoQOCndjcSR1TF7hJPT0KSlnMi/Et5KKJPKpV67W+wjz74Yw0FmQ0s5f6fQUKwC/y2O/743ciPbfRsd0WTohp6C9kbdjZOHA1Tq+HV+IQxI+3Y8E8PN01byYhypxMxtvIPLX3e8o4u2PzU1QtNg1gv0G4NNEg4Sngm3mp3ZGtnUliJdez5F0sNSvaZLQnf1","body":"Body Message","attributes":{"ApproximateReceiveCount":"1","SentTimestamp":"1701293155916","SenderId":"AIDAIT2UOQQY3AUEKVGXU","ApproximateFirstReceiveTimestamp":"1701293155918"},"messageAttributes":{},"md5OfBody":"e7cb79e24fa803330b7709284f849bf2","eventSource":"aws:sqs","eventSourceARN":"arn:aws:sqs:eu-central-1:56xxxxxxxx24:sqs-managed-waf-rule-notifications_MANUELL","awsRegion":"eu-central-1"}

Riku_Kobayashi · Accepted Answer

Hello.

Even if you subscribe your email address and send notifications via email, a similar JSON will be sent to you.  
https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups-sns-topic.html

Therefore, you will need to devise a way to notify Lambda, process the message, and send the email again via SNS.  
Since it is possible to subscribe to Lambda in eu-central-1 from the SNS subscription in us-east1, how about processing messages with Lambda?

Andre · Answer

Thanks @Riku!

It is indeed working with this solution:
[AWS managed SNS topic in us-east-1] -> [Lambda in my account in eu-central-1] -> [SNS topic in my account in eu-central-1]

If someone has the same issue:
* I created a Lambda function using the blueprint “Process messages pushed to an SNS topic”
* As trigger, I added [AWS managed SNS topic in us-east-1]
* As Lambda code, I added

import boto3
print('Loading message function...')
def lambda_handler(event, context):
    sns = boto3.client('sns')
    sns.publish(
         TopicArn="[SNS TopicArn in my account in eu-central-1]",
         Subject=event['Records'][0]['Sns']['Subject'],
         Message=event['Records'][0]['Sns']['Message']
    )
    return ('SNS sent to the network team reg. new AWS managed WAF rule notification')

Received emails are now as expected!

csujiabin · Answer

AWS supports subscribe SQS in one region to SNS topic in another region -
https://docs.aws.amazon.com/sns/latest/dg/sns-cross-region-delivery.html

Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications

Relevant content