By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What SNS topic access policy to use for a CloudFormation CustomResource to post messages to a SNS topic in different AWS account?

0

I have a SNS topic in ACCOUNT1 , i would like to recieve notifications from any other AWS account as far as it is a Custom Resource message. What condition can I add in SNS topic access policy to restrict messages from CloudFormation Custom REsource Only? I'd like to have a policy that can allow messages with specific string in it rather than limiting principal to specific AWS accounts

Topics
Management & GovernanceApplication Integration
Tags
AWS CloudFormationAmazon Simple Notification Service (SNS)
Language
English
Sg
asked 8 months ago234 views
1 Answer
1

Hello,

The access policy to use for a CloudFormation CustomResource to post messages to a SNS topic in another AWS account, you’ll need to set up cross-account permissions. You will create a create an SNS topic access policy in the AWS account where the SNS topic resides( the “ destination” account) and grant the necessary permissions to the AWS account where the CloudFormation custom resource is located( the “source” account)

[+] https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html

To add the SNS topic access policy that allows messages with a specific string, you can use the ‘aws:sourceArn’ condition key along with string comparison condtions in the SNS topic’s access policy. This will allow you to filter messages based on their source ARN, which can be set by the publisher of the message.

An example:

[+] https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html

AWS
Aditya_T
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content