I'm facing a problem regarding SNS notification.
I would like to prepare a backup policy for Organization where I have w backup policy on the master account and SNS topic also. I'm using Terraform to prepare stack in Cloudformation to create a backup vault for each selected account but when I want to set up the notification then I receive the following error:
aws backup put-backup-vault-notifications \
--backup-vault-name test_backup_vault \
--sns-topic-arn arn:aws:sns:eu-central-1:XXXXX:cross-account-backup-topic \
--backup-vault-events RESTORE_JOB_STARTED RESTORE_JOB_COMPLETED RECOVERY_POINT_MODIFIED
An error occurred (InvalidParameterValueException) when calling the PutBackupVaultNotifications
operation: Provided SNS topic belongs to another account
I saw there is an option to grant permission cross-account: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html
How I can achieve this?
Related
I have a queue with has policy that allows sendMessage, receiveMessage actions via a service role (Principal has role arn). Lambda and other services use this role to send messages to this queue.
I also have a AWS console developer role that allows me to send a message via console (SQS send, receive message option).
If SQS policy explicitly allows sendMessage only for a service role, how am I able to post via AWS console?
From Using identity-based policies with Amazon SQS - Amazon Simple Queue Service:
Using Amazon SQS and IAM policies
There are two ways to give your users permissions to your Amazon SQS resources: using the Amazon SQS policy system and using the IAM policy system. You can use one or the other, or both. For the most part, you can achieve the same result with either one.
There is one major difference between IAM and Amazon SQS policies: the Amazon SQS policy system lets you grant permission to other AWS Accounts, whereas IAM doesn't.
Basically, you can use either an SQS Policy or an IAM Policy. If one of them permits the action, with neither of them Denying the action, then the action will be permitted.
When you are using the Amazon SQS console, you are most probably using an IAM permission that has been assigned to you. If it grants the necessary permission, then the SQS Policy is not required.
I am trying to set cross account data transfer from AWS Lambda in AWS account A to SQS in AWS account B using boto3. Below are the steps which I have followed.
Created an IAM role in account A which has "SendMessage" access to SQS queue in account B. (Given an ARN of SQS queue of account B)
Added an account ID of AWS account B in the trust relationship of an IAM role in account A.
Attached this IAM role to Lambda function and written a code to send the message to SQS queue using SQS queue URL.
Created an SQS queue in account B.
In the SQS queue access policy I have written a policy which will allow lambda role of account A to send message to its SQS queue.
================================================================================
After that when I am trying to test my lambda function, it is giving me below error.
[ERROR] ClientError: An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://queue.amazonaws.com/ is denied.
=====================================================================================
Can anybody please help to understand what's wrong here?.
This error can occur if you are attempting to access SQS via the boto3 Python library (e.g. OP's lambda) from inside a VPC with private DNS enabled.
Per AWS documentation:
Private DNS doesn't support legacy endpoints such as queue.amazonaws.com or us-east-2.queue.amazonaws.com.
(emphasis mine)
To solve this error:
Create a VPC endpoint for com.amazonaws.<region>.sqs in your VPC
Pass the appropriate service endpoint URL to the boto3.client() constructor:
import boto3
client = boto3.client('sqs', endpoint_url='https://sqs.%s.amazonaws.com' % region)
IAM permissions are left as an exercise to the reader.
I am trying to create an Event Subscription for RDS via AWS CLI
I have successfully created an SNS and can confirm it in AWS Console.
I am also able to create Event Subscription via AWS Console but not through AWS CLI
The command that I am running :
aws rds create-event-subscription --subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled
The error message :
An error occurred (SNSInvalidTopic) when calling the CreateEventSubscription operation: Failed to create Subscription because of Topic arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms ARN Name Invalid.
Fixed. I had to add region.
aws rds create-event-subscription --region us-east-2--subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled
I am deploying an EC2 instance using CloudFormation and I need to publish information about the created instance to an HTTP endpoint. I plan on doing this using SNS. However, I do not want the instance to have permanent access to publish to the endpoint or be able to use the AWS CLI.
Is there a way to deploy the instance with permission to publish to a specified SNS topic and then rescind permission immediately afterwards?
Use IAM (IAM and Amazon SNS Policies Together) to create a SNS Role which has just enough privileges to publish a specified SNS topic.
Launch the instance and specify the your role as instance's IAM profile
After publishing, remove the SNS privileges from the role using the IAM dashboard or from the instance (make sure the role has privileges to rescind the permission)
I am currently trying to enable AWS Config notifications on multiple accounts. I have enabled monitoring on each individual account with its own S3 bucket and SNS topic, but it would make more sense to have one centralized bucket and topic. I am trying to implement this with little success.
I have created an s3 bucket and target ARN but when I try and apply the changes I get an error of insufficient delivery policy
Note I am doing this through the AWS console and not with code.
To do this, you need two pieces:
The Identity and Access Management (IAM) Role being used must have permissions to deliver data to the common S3 bucket and SNS Topic. You'll need to go to the IAM Management Console, and edit the role being used by Config in each account and update the S3 bucket/SNS names in "PutObject", "GetBucketACL" and "sns:Publish"
You also need to allow the S3 bucket and SNS Topic to receive data from this new role. See
a. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_accounts_bucket_policy.html
b. http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_UseCases_Sns.html