I'm using CloudCheckr.com, and following recommendations to enable AWS Config in regions where where we currently have no activity.
Ideally, I want to setup each region to use the same S3 bucket and SNS topic from the default region (since it's already setup), but I'm getting errors such as:
Last AWS Error Message: User: arn:aws:sts::XXXXXXX:assumed-role/config-role/AWSConfig-Delivery is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:XXXXXXX:assumed:config-topic (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; ...
I've tried to setup the config-role IAM user with the following policy:
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Put*",
"directconnect:Describe*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"opsworks:Describe*",
"opsworks:Get*",
"route53:Get*",
"route53:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:Get*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:List*",
"storagegateway:Describe*",
"trustedadvisor:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::config-bucket-XXXXXXXXXXXX/AWSLogs/XXXXXXXXXXXX/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}, {
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::config-bucket-XXXXXXXXXXXX"
}, {
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
}]
}
but that doesn't seem to grant the right permission. I keep getting:
The provided SNS topic ARN is invalid.
even though I'm positive that's the right ARN for the existing topic.
Here's the permissions for that SNS ARN:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:ListSubscriptionsByTopic",
"SNS:Subscribe",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Publish",
"SNS:RemovePermission",
"SNS:AddPermission",
"SNS:Receive",
"SNS:SetTopicAttributes"
],
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "XXXXXXXXXXXX"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
}
]
}
Anybody ever done this before?
Even better, does anybody have a script that maybe sets up a region from the cli?