Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I invoke a cross-account Amazon SNS topic with a CloudWatch alarm?
I want to invoke an Amazon Simple Notification Service (Amazon SNS) topic with an Amazon CloudWatch alarm across different AWS accounts.
Resolution
Note: The following resolution uses two accounts.
Use account A to create the CloudWatch alarm and account B to create an Amazon SNS topic. Then, update the SNS topic's access policy to allow account A's alarm to publish messages.
Create an SNS topic in account B
Complete the following steps:
- Open the Amazon SNS console.
- In the navigation pane, choose Topics, and then choose Create topic.
- Choose Standard for the topic type, and then provide a name for the topic.
- Choose Create topic, and then copy the Amazon Resource Name (ARN) of the topic.
- In the navigation pane, choose Subscriptions, and then choose Create subscription.
- Add the topic's ARN in the Topic ARN section, and then choose Email as the protocol.
- Choose Create subscription, and then check your email to confirm the subscription.
Create a CloudWatch alarm in account A
Complete the following steps:
- Open the CloudWatch console.
- In the navigation pane, choose Alarms, and then choose Create alarm.
- Select your metric, and then provide details for the threshold and comparison parameters.
- From Configure Actions, under Notifications, choose Use topic ARN to notify other accounts, and then enter the topic ARN from Account B.
- Create a name for the alarm, and then choose Create alarm.
Update the access policy of the SNS topic in account B
When you update the access policy of the SNS topic in account B, this allow the alarm to publish messages.
Complete the following steps:
-
Open the SNS console.
-
In the navigation pane, choose Topics, and then select the topic.
-
Choose Edit, and then add the following statement to the policy:
{ "Statement": [{ "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }] }Note: In the preceding policy, replace example values with your values.
Test the alarm
To test the alarm, either change the alarm threshold based on the metric data points, or run the set-alarm-state command. When you change the alarm threshold or alarm state, you receive an email notification.
Related information
Allow any CloudWatch alarm to publish to a topic in a different account
Why didn't I receive an SNS notification for my CloudWatch alarm trigger?
- Language
- English
Please note that the example policy given in this post has some syntax errors. It's missing an asterisk in the Principal section and a comma where the Ressource is defined.
It should look like this:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "example-topic-arn-account-b",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:example-region:111122223333:alarm:"
}
}
}
]
}
Either the syntax has changed since this was originally posted, or someone did not double-check if the example policy actually works. ;D
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
