Configuring Amazon SNS topics for Change Manager notifications - AWS Systems Manager

Configuring Amazon SNS topics for Change Manager notifications

You can configure Change Manager, a capability of AWS Systems Manager, to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic for events related to change requests and change templates. Complete the following tasks to receive notifications for the Change Manager events you add a topic to.

Task 1: Create and subscribe to an Amazon SNS topic

First, you must create and subscribe to an Amazon SNS topic. For more information, see Creating a Amazon SNS topic and Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide.

Note

To receive notifications, you must specify the Amazon Resource Name (ARN) of an Amazon SNS topic that is in the same AWS Region and AWS account as the delegated administrator account.

Task 2: Update the Amazon SNS access policy

Use the following procedure to update the Amazon SNS access policy so that Systems Manager can publish Change Manager notifications to the Amazon SNS topic you created in Task 1. Without completing this task, Change Manager doesn't have permission to send notifications for the events you add the topic for.

  1. Sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. Choose the topic you created in Task 1, and then choose Edit.

  4. Expand Access policy.

  5. Add and update the following Sid block to the existing policy and replace each user input placeholder with your own information .

    { "Sid": "Allow Change Manager to publish to this topic", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:region:account-id:topic-name", "Condition": { "StringEquals": { "aws:SourceAccount": [ "account-id" ] } } }

    Enter this block after the existing Sid block, and replace region, account-id, and topic-name with the appropriate values for the topic you created.

  6. Choose Save changes.

The system now sends notifications to the Amazon SNS topic when the event type you add to topic for occurs.

Important

If you configured the Amazon SNS topic with an AWS Key Management Service (AWS KMS) server-side encryption key, then you must complete Task 3.

Task 3: (Optional) Update the AWS Key Management Service access policy

If you turned on AWS Key Management Service (AWS KMS) server-side encryption for your Amazon SNS topic, then you must also update the access policy of the AWS KMS key you chose when you configured the topic. Use the following procedure to update the access policy so that Systems Manager can publish Change Manager approval notifications to the Amazon SNS topic you created in Task 1.

  1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose the ID of the customer managed key you chose when you created the topic.

  5. In the Key policy section, choose Switch to policy view.

  6. Choose Edit.

  7. Add the following Sid block to the existing policy and replace each user input placeholder with your own information .

    { "Sid": "Allow Change Manager to decrypt the key", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "StringEquals": { "aws:SourceAccount": [ "account-id" ] } } }

    Enter this block after one of the existing Sid blocks.

  8. Choose Save changes.