How can I make sure that I receive Amazon SNS notifications from AWS Config?

4 minute read
0

I set up an Amazon Simple Notification Service (Amazon SNS) notification for AWS Config, but I don't receive any notifications.

Short description

Try the following troubleshooting resolutions:

  • Verify the status of your Amazon SNS topic subscription
  • Grant your AWS account permission to publish your SNS topic
  • Grant your AWS cross-account permission to publish your Amazon SNS topic
  • Confirm that AWS Config can access encrypted Amazon SNS topics
  • Fix your Amazon CloudWatch Events and SNS permission configurations

Resolution

Verify the status of your Amazon SNS topic subscription

1.    Open the Amazon SNS console.

2.    On the navigation pane, choose Subscriptions.

3.    From the list of subscriptions, confirm that the Status of your subscription is set to Confirmed. If Status is set to PendingConfirmation, then follow the instructions to confirm the subscription.

Grant your AWS account permission to publish your SNS topic

You must choose either a service-linked role or a custom role as your recorder role. The recorder role is an AWS Identity and Access Management (IAM) role that allows you to record configuration information.

Important: As a security best practice, use the custom configuration service role as a recorder role. Avoid using the service-linked role as the recorder role for your cross-account topic policy. This is because the service-linked role requires you to set “config.amazonaws.com” as the Service property in your Amazon SNS topic policy.

To replace the Amazon Resource Name (ARN) of the service-linked role with a custom service role ARN, add the following permission to the role permissions policy:

{
    "Effect": "Allow",
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:Region:AccountId:Topic-Name"
}

For more information on custom roles, see Permissions for the IAM Role Assigned to AWS Config.

Grant your AWS cross-account permission to publish your Amazon SNS topic

If you chose an SNS topic from another account, then set up the following configurations to get cross-account access:

1.    Add the following statement to the access policy attached to your SNS topic:

{
    "Sid": "__console_pub_0",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::config-AccountId:root" OR "arn:aws:iam::config-AccountId:role/Custom_Service_role_name"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:Region:SNS-topic-AccountId:Topic-Name"
}

2.    Attach the following statement to the IAM role assumed by AWS Config:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublishToSNSTargetAccount",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:Region:config-AccountId:Topic-Name"
        }
    ]
}

Confirm that AWS Config can access encrypted Amazon SNS topics

If your SNS topic is encrypted with an AWS Key Management Service (AWS KMS) key, complete the following steps:

1.    Confirm that the IAM role assumed by AWS Config can access the key required for decrypting the SNS topic. For example:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::config-AccountId:role/ConfigRoleName"
    },
    "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt",
        "kms:Encrypt"
    ],
    "Resource": "*"
}

2.    Add AWS KMS permissions in your role's access policy:

{
    "Effect": "Allow",
    "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt",
         
    ],
    "Resource": "*"
}

Fix your Amazon CloudWatch Events and SNS permission configurations

1.    Confirm that you chose the correct SNS topic as the target for your CloudWatch Events rule.

2.    If you're using Amazon CloudWatch to monitor AWS Config APIs and send notifications using Amazon SNS, confirm that CloudWatch has publishing permissions for your SNS topic. For example, include the following statement in your topic's resource policy:

{
    "Sid": "Allow_Publish_Events",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:Region:AccountId:Topic-Name"
}

3.    Troubleshoot your CloudWatch Events rule.


Related information

Permissions for the Amazon SNS Topic

How can I be notified when an AWS resource is non-compliant using AWS Config?

How can I receive custom email notifications when a resource is deleted in my AWS account using AWS Config service?

How can I receive custom email notifications when a resource is created in my AWS account using AWS Config service?

Creating IAM Role Policies

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago