Question:
We have two accounts 111111111111 and 222222222222.
Requirement – Account 111111111111 will create a snapshot of a RDS on a daily basis. Once the snapshot is taken, we want account 111111111111 to publish to the SNS topic created in account 222222222222. Once Account 222222222222 receives the notification it runs a Lambda function.
I have attached the following policy to the topic created in account 222222222222
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
"Sid":"RestoreRDSEng_topic_publish", "Effect":"Allow", "Principal":{ "AWS":"111111111111" }, "Action":"sns:Publish", "Resource":"arn:aws:sns:us-east-1:222222222222:RestoreRDSEng", "Condition":{ "StringEquals":{ "AWS:SourceAccount":"222222222222" }, } } |
I am receiving the following error when account 111111111111 is trying to publish to 222222222222
*”message”: “AuthorizationError: User: arn:aws:sts::************assumed-role/tf-rds_eventhandler/tf-rds_eventhandler is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:xxxxxxxxxxxx:RestoreRDSEng\n\tstatus code: 403, request id: 098f4647-c9ad-51fe-9bc3-17b45deef60e”*
Questions:
- Is there anything wrong in this approach?
- Should I create a role in account 222222222222 with trusted access to 111111111111?
- Any other suggestions would be appreciated.
Answer:
The Principal needs to be the service or role in account 11111… that you want to take the action of publishing to the SNS topic. For example:
|
1 2 3 4 |
"Principal": { "Service": "cloudtrail.amazonaws.com" } |