Call cross account lambda from SNS

Question

Hello,

We are in need to call lambda function within our organizations AWS account from Vendor's AWS account based on SNS notification.
Currently we have roles and permissions configured in such way that we can call / use vendor's AWS resources but they can't access our's and at the same time we don't want to open it to them.
What should be our best path to make this communication work?

Thank You,
Yogesh

Answer

Hi Yogesh,

To my understanding you must allow partial access (limited to sns arn) from the vendor for it to work, so here my suggested steps:
- create the sns topic in the vendor's account and update it's resource-based policy to allow lambda of your account to subscribe to it.
- update the resource-based policy of the lambda to allow invocation from the vendor's account sns arn.
- subscribe the lambda function in the vendor's account sns topic.

Check out this link for a step by step tutorial:
https://www.shogan.co.uk/aws/aws-sns-to-lambda-cross-account-setup/

Sincerley
Heiko

Call cross account lambda from SNS

相关内容