Add service to SNS policy
Question
I'm automating cloudtrail creation in multiple accounts using python boto3. My issue is that create_trail doesn't automatically create the sns topic to associate with the trail. create_trail expects the sns topic to already exist.
I can create the sns topic with boto, but I can't seem to set the policy for the topic to allow cloudtrail to publish to the topic.
This is what the correct policy looks like in the console:
{
"Sid": "AWSCloudTrailSNSPolicy20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456678912:us-east-1-trail"
}
There doesn't seem to be a way to give permissions to a service with boto:
client.add_permission(
TopicArn=arn,
Label='AWSCloudTrailSNSPolicy20150319',
AWSAccountId=[
'12345678912'
],
ActionName=[
'Publish',
]
)
If I add the account here the create_trail call still fails with:
An error occurred (InsufficientSnsTopicPolicyException) when calling the CreateTrail operation: SNS Topic does not exist or the topic policy is incorrect!
Is there a way to just give permissions to a service or to automatically set this when creating the trail or sns topic?
2 answers
solution1
1 2017-08-09 21:18:46
Perhaps use SetTopicAttributes ( http://docs.aws.amazon.com/sns/latest/api/API_SetTopicAttributes.html ). This topic discusses allowing cloudwatch events to publish to an SNS topic - http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/resource-based-policies-cwe.html
solution2
1 2020-09-23 20:36:36
I received the exact same error when I used Cloud Trail with SNS via Terraform.
The problem is that in Terraform docs it is written that the sns_topic_name is:
sns_topic_name - (Optional) Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
When I entered the SNS topic name - it gave me the mentioned error.
When I changed it to the ARN instead - it worked.
solution3
-1 2018-10-28 14:08:12
I'm automating cloudtrail creation in multiple accounts using python boto3. My issue is that create_trail doesn't automatically create the sns topic to associate with the trail. create_trail expects the sns topic to already exist.
I can create the sns topic with boto, but I can't seem to set the policy for the topic to allow cloudtrail to publish to the topic.
This is what the correct policy looks like in the console:
{
"Sid": "AWSCloudTrailSNSPolicy20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456678912:us-east-1-trail"
}
There doesn't seem to be a way to give permissions to a service with boto:
client.add_permission(
TopicArn=arn,
Label='AWSCloudTrailSNSPolicy20150319',
AWSAccountId=[
'12345678912'
],
ActionName=[
'Publish',
]
)
If I add the account here the create_trail call still fails with:
An error occurred (InsufficientSnsTopicPolicyException) when calling the CreateTrail operation: SNS Topic does not exist or the topic policy is incorrect!
Is there a way to just give permissions to a service or to automatically set this when creating the trail or sns topic?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.