使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Grant access to Security Hub for SNS topic in different account

0

We have a CloudWatch Alarm which triggers a SNS topic in a different account. Security Hub wants to check this topic, but fails with the below error visible in CloudTrail logs:

User: arn:aws:sts::012345678912:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-central-1:987654321012:my-topic because no resource-based policy allows the SNS:ListSubscriptionsByTopic action

The topic contains the below access policy statement:

{
  "Sid": "AllowSecurityHubAccess",
  "Effect": "Allow",
  "Principal": {
    "Service": "securityhub.amazonaws.com"
  },
  "Action": [
    "sns:ListSubscriptionsByTopic"
  ],
  "Resource": "*"
}

Any ideas how to fix this?

主題
安全性、身分識別與合規應用程式整合
標籤
AWS 安全中心Amazon Simple Notification Service (SNS)
語言
English
Jonas Koenig
已提問 2 年前檢視次數 511 次
1 個回答
0

Hi,Did you also considered providing the cross account access to the resource as it seems principle is in another account so you need to create the trust.

Iknownothing
已回答 2 年前
  • Jonas Koenig
    2 年前

    Well the principal is a service-linked role in this case. AFAIK these don‘t need any trust as same works for Cloudwatch which successfully sends alarm notifications to the mentioned topic in a different account.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容