Permissions for the Amazon SNS Topic - AWS Config
Required Permissions for the Amazon SNS Topic When Using IAM RolesRequired Permissions for the Amazon SNS Topic When Using Service-Linked RolesTroubleshooting for the Amazon SNS Topic

Permissions for the Amazon SNS Topic

Use the information in this topic only if you want to configure AWS Config to deliver Amazon SNS topics owned by your account or by a different account. AWS Config must have permissions to send notifications to an Amazon SNS topic.

Note

AWS Config currently only supports same region and cross account access. SNS topics used for remediation AWS Systems Manager documents (SSM documents) or for the recorder delivery channel cannot be cross-region.

Required Permissions for the Amazon SNS Topic When Using IAM Roles

You can attach a permission policy to the Amazon SNS topic owned by a different account. If you want to use an Amazon SNS topic from another account, make sure to attach the following policy to an existing Amazon SNS topic. 


 {
  "Id": "Policy1415489375392",
  "Statement": [
    {
      "Sid": "AWSConfigSNSPolicy20150201",
      "Action": [
        "SNS:Publish"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:region:account-id:myTopic",
      "Principal": {
        "AWS": [
          "account-id1",
          "account-id2",
          "account-id3"
        ]
      }
    }
  ]
}

For the Resource key, account-id is the account number of the topic owner. For account-id1, account-id2, and account-id3, use the AWS accounts that will send data to an Amazon SNS topic. You must substitute appropriate values for region and myTopic.

Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles

If you set up AWS Config using a service-linked role, you need to attach a permission policy to the Amazon SNS topic. If you want to use an Amazon SNS topic from your own account, make sure to attach the following policy to an existing Amazon SNS topic. 


{
"Id": "Policy_ID",
"Statement": [
  {
    "Sid": "AWSConfigSNSPolicy",
    "Effect": "Allow",
    "Principal": {
      "Service": "config.amazonaws.com"
    },
    "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:region:account-id:myTopic"
    }
]
}

You must substitute appropriate values for region, account-id, and myTopic.

Troubleshooting for the Amazon SNS Topic

AWS Config must have permissions to send notifications to an Amazon SNS topic. If an Amazon SNS topic cannot receive notifications, verify that the IAM role that AWS Config was assuming must have sns:publish permissions.