3

I'm using CloudCheckr.com, and following recommendations to enable AWS Config in regions where where we currently have no activity.

Ideally, I want to setup each region to use the same S3 bucket and SNS topic from the default region (since it's already setup), but I'm getting errors such as:

Last AWS Error Message: User: arn:aws:sts::XXXXXXX:assumed-role/config-role/AWSConfig-Delivery is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:XXXXXXX:assumed:config-topic (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; ...

I've tried to setup the config-role IAM user with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "appstream:Get*",
            "autoscaling:Describe*",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:List*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetTrailStatus",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "config:Put*",
            "directconnect:Describe*",
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:Scan",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "ec2:Describe*",
            "elasticache:Describe*",
            "elasticbeanstalk:Check*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "elasticbeanstalk:RequestEnvironmentInfo",
            "elasticbeanstalk:RetrieveEnvironmentInfo",
            "elasticloadbalancing:Describe*",
            "elastictranscoder:Read*",
            "elastictranscoder:List*",
            "iam:List*",
            "iam:Get*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "opsworks:Describe*",
            "opsworks:Get*",
            "route53:Get*",
            "route53:List*",
            "redshift:Describe*",
            "redshift:ViewQueriesInConsole",
            "rds:Describe*",
            "rds:ListTagsForResource",
            "s3:Get*",
            "s3:List*",
            "sdb:GetAttributes",
            "sdb:List*",
            "sdb:Select*",
            "ses:Get*",
            "ses:List*",
            "sns:Get*",
            "sns:List*",
            "sqs:GetQueueAttributes",
            "sqs:ListQueues",
            "sqs:ReceiveMessage",
            "storagegateway:List*",
            "storagegateway:Describe*",
            "trustedadvisor:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }, {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject*"
        ],
        "Resource": [
            "arn:aws:s3:::config-bucket-XXXXXXXXXXXX/AWSLogs/XXXXXXXXXXXX/*"
        ],
        "Condition": {
            "StringLike": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    }, {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketAcl"
        ],
        "Resource": "arn:aws:s3:::config-bucket-XXXXXXXXXXXX"
    }, {
        "Effect": "Allow",
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    }]
}

but that doesn't seem to grant the right permission. I keep getting:

The provided SNS topic ARN is invalid.

even though I'm positive that's the right ARN for the existing topic.

Here's the permissions for that SNS ARN:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:ListSubscriptionsByTopic",
        "SNS:Subscribe",
        "SNS:DeleteTopic",
        "SNS:GetTopicAttributes",
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:AddPermission",
        "SNS:Receive",
        "SNS:SetTopicAttributes"
      ],
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "XXXXXXXXXXXX"
        }
      }
    },
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXXXXXXXXXXX:root"
        ]
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
    }
  ]
}

Anybody ever done this before?

Even better, does anybody have a script that maybe sets up a region from the cli?

Mike Crowe
  • 151
  • 1
  • 5
  • 1
    The error says `SNS:Publish on resource: arn:aws:sns:eu-west-1...` not `us-east-1` as in your policy. Are you sure AWS Config can publish to an SNS topic across regions? – Michael - sqlbot Jan 26 '16 at 22:52

2 Answers2

3

Things may have changed since the original answer to this question was written, as now the error returned by the AWS API when setting an SNS topic in a different region is:

InvalidSNSTopicARNException: The sns topic arn 'arn:aws:sns:ap-southeast-2:...........' is not valid.Region provided in sns arn: ap-southeast-2, does not match the expected region: us-east-1.

This implies that the AWS Config Service does not support sending to an SNS topic in a different region.

Tim Malone
  • 174
  • 1
  • 2
  • 12
  • 2
    This is correct. [The docs](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) state the following: > The Amazon SNS topic must exist in the same region as the region in which you set up AWS Config. So I think you have to have one topic per region in the central account. – Ben Whaley Apr 27 '20 at 17:39
-1

You can technically publish SNS topics across regions, but I would create a topic in each region you are setting up the service (e.g. Use eu-west-1 for SNS in IAM policy for EU West) and then direct all these messages from different into a single SQS queue in the home region of your choice.

If you still want to continue down the path you're already on, you need to make sure your IAM role has the right region in the SNS Publish permissions (should be eu-west-1 instead of us-east-1

Prashant Prahlad
  • 14