Compliance notifications by SNS in the audit account
To receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic:
arn:aws:sns:
AWSRegion
:AuditAccount
:aws-controltower-AggregateSecurityNotifications
When subscribing, substitute your actual AWS Control Tower home Region and audit account information into the topic name shown. You can subscribe to SNS topics that receive notifications about each supported AWS Region in which you run AWS Control Tower.
SNS topics and notifications you can receive
-
The
aws-controltower-AllConfigNotifications
topic:It receives notifications from AWS Config regarding compliance, noncompliance, and change. It also receives notification from AWS CloudTrail on log file delivery.
-
The
aws-controltower-SecurityNotifications
topic:One of these topics exists for each supported AWS Region. It receives compliance, noncompliance, and change notifications from AWS Config in that Region. It forwards all incoming notifications to
aws-controltower-AggregateSecurityNotifications
-
The
aws-controltower-AggregateSecurityNotifications
topic:This topic exists in each supported AWS Region. It receives compliance change notifications from the region-specific
aws-controltower-SecurityNotifications
topics. Additionally, in the home Region, it also receives drift notifications.
Other considerations about SNS topics:
-
All of these topics exist and receive notifications in the Audit account.
-
By default, the Audit account email address is subscribed to the
aws-controltower-AggregateSecurityNotifications
SNS topic. -
SNS topics in AWS Control Tower are extremely noisy, by design. For example, AWS Config sends a notification every time AWS Config discovers a new resource.
-
Administrators who wish to filter out specific types of notifications from an SNS topic can create an AWS Lambda function and subscribe it to the SNS topic. Alternatively, you can set up an EventBridge rule to filter notifications, as described in this support article, How can I be notified when an AWS resource is non-compliant using AWS Config?
-
AWS Config notifications contain a JSON object.
-
AWS Control Tower drift notifications appear in plain text.
The AWS Config SNS topic policy
The AWS Config SNS topic policy contains the aws:SourceOrgID
condition key. The policy is shown in the following example.
SNSAllConfigurationTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref SNSAllConfigurationTopic PolicyDocument: Statement: - Sid: AWSSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref SNSAllConfigurationTopic Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId