Configure AWS Config to send to one global SNS topic

amazon-snsamazon-web-servicesaws-cli

I'm using CloudCheckr.com, and following recommendations to enable AWS Config in regions where where we currently have no activity.

Ideally, I want to setup each region to use the same S3 bucket and SNS topic from the default region (since it's already setup), but I'm getting errors such as:

Last AWS Error Message: User: arn:aws:sts::XXXXXXX:assumed-role/config-role/AWSConfig-Delivery is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:XXXXXXX:assumed:config-topic (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; ...

I've tried to setup the config-role IAM user with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "appstream:Get*",
            "autoscaling:Describe*",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:List*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetTrailStatus",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "config:Put*",
            "directconnect:Describe*",
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:Scan",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "ec2:Describe*",
            "elasticache:Describe*",
            "elasticbeanstalk:Check*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "elasticbeanstalk:RequestEnvironmentInfo",
            "elasticbeanstalk:RetrieveEnvironmentInfo",
            "elasticloadbalancing:Describe*",
            "elastictranscoder:Read*",
            "elastictranscoder:List*",
            "iam:List*",
            "iam:Get*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "opsworks:Describe*",
            "opsworks:Get*",
            "route53:Get*",
            "route53:List*",
            "redshift:Describe*",
            "redshift:ViewQueriesInConsole",
            "rds:Describe*",
            "rds:ListTagsForResource",
            "s3:Get*",
            "s3:List*",
            "sdb:GetAttributes",
            "sdb:List*",
            "sdb:Select*",
            "ses:Get*",
            "ses:List*",
            "sns:Get*",
            "sns:List*",
            "sqs:GetQueueAttributes",
            "sqs:ListQueues",
            "sqs:ReceiveMessage",
            "storagegateway:List*",
            "storagegateway:Describe*",
            "trustedadvisor:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }, {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject*"
        ],
        "Resource": [
            "arn:aws:s3:::config-bucket-XXXXXXXXXXXX/AWSLogs/XXXXXXXXXXXX/*"
        ],
        "Condition": {
            "StringLike": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    }, {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketAcl"
        ],
        "Resource": "arn:aws:s3:::config-bucket-XXXXXXXXXXXX"
    }, {
        "Effect": "Allow",
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    }]
}

but that doesn't seem to grant the right permission. I keep getting:

The provided SNS topic ARN is invalid.

even though I'm positive that's the right ARN for the existing topic.

Here's the permissions for that SNS ARN:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:ListSubscriptionsByTopic",
        "SNS:Subscribe",
        "SNS:DeleteTopic",
        "SNS:GetTopicAttributes",
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:AddPermission",
        "SNS:Receive",
        "SNS:SetTopicAttributes"
      ],
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "XXXXXXXXXXXX"
        }
      }
    },
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXXXXXXXXXXX:root"
        ]
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    }
  ]
}

Anybody ever done this before?

Even better, does anybody have a script that maybe sets up a region from the cli?

Best Answer

You can technically publish SNS topics across regions, but I would create a topic in each region you are setting up the service (e.g. Use eu-west-1 for SNS in IAM policy for EU West) and then direct all these messages from different into a single SQS queue in the home region of your choice.

If you still want to continue down the path you're already on, you need to make sure your IAM role has the right region in the SNS Publish permissions (should be eu-west-1 instead of us-east-1

Related Topic