By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cross Region & Cross Account SNS Notification to Lambda

0

I had a SNS Topic reside in ap-southeast-1 (Account A) and I have a Lambda function reside in ap-southeast-3 (Account B), I followed step provided in https://repost.aws/knowledge-center/sns-with-crossaccount-lambda-subscription but SNS is unable to publish notification to Lambda in Account B.

Cloudwatch log for sns delivery failure Enter image description here

Topics
ServerlessComputeApplication IntegrationSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Simple Notification Service (SNS)IAM Policies
Language
English
RZ
asked 10 months ago405 views
2 Answers
0
Accepted Answer

After some digging, I found out that ap-southeast-3 is under opt-in region where SNS does not support publishing notification to Lambda. https://docs.aws.amazon.com/sns/latest/dg/sns-cross-region-delivery.html

RZ
answered 10 months ago
EXPERT
Parthasaradi
reviewed 10 months ago
0

Hello,

The error indicates an invalid security token.

  • The Lambda function's execution role in Account B allows sns.amazonaws.com to invoke it.
  • The SNS topic policy in Account A allows it to publish to the Lambda function in Account B.

Verify Permissions in Account B (Lambda): Ensure that the Lambda function's execution role in Account B has the necessary permissions to allow SNS from Account A to invoke it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:ap-southeast-3:ACCOUNT_B_ID:function:YourLambdaFunctionName",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:sns:ap-southeast-1:ACCOUNT_A_ID:YourSNSTopicName"
        }
      }
    }
  ]
}

Verify SNS Topic Policy in Account A

Ensure the SNS topic policy allows the SNS service to publish to the Lambda function in Account B.

{
  "Version": "2012-10-17",
  "Id": "Policy_ID",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:role/LambdaExecutionRole"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:ap-southeast-1:ACCOUNT_A_ID:YourSNSTopicName"
    }
  ]
}

Referral Link: https: https://repost.aws/knowledge-center/sns-with-crossaccount-lambda-subscription

profile picture
EXPERT
NARRAVULA MUNISAI TEJA
answered 10 months ago
  • RZ
    10 months ago

    I added both policy but it still got the same error...

  • NARRAVULA MUNISAI TEJA EXPERT
    10 months ago

    Hey RZ, Okay, even though you added both policies (SNS topic policy and IAM role policy), the "invalid security token" error persists.

    1. Focus on Account B: Double-check the IAM role assigned to your Lambda function there.

    2.Verify Policy and Attachment: Ensure the IAM role policy allows invocation by SNS. It should have: Effect: Allow Principal: arn:aws:iam::aws:service/sns Action: lambda:InvokeFunction Resource: Your Lambda function's ARN Confirm the Lambda function actually uses this IAM role (check configuration).

    Sometimes, there might be other IAM policies attached to the role that might deny permissions, even if the policy you added allows invocation. Review all attached policies to ensure there are no conflicting statements.

    This official AWS documentation should help you troubleshoot the "invalid security token" error in your scenario: https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content