I want to publish to an Amazon Simple Notification Service (Amazon SNS) topic from a cross-account Amazon Elastic Compute Cloud (Amazon EC2) instance. I want to do this with an AWS Identity and Access Management (IAM) role for an EC2 instance that uses a public subnet.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Configure the account with your EC2 instance
1. Create an IAM policy with permissions to publish to your SNS topic. See the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns"
}
]
}
Note: Replace us-east-1:123456789012 with the relevant AWS Region and account ID.
2. Create an IAM role for your EC2 instance. For example: cross-acc-ec2-sns-publish-role. Then, attach the policy to your IAM role.
3. Create an EC2 instance in a public subnet with internet access.
Attach the new IAM role to your EC2 instance
Confirm that your EC2 instance is running, and then complete the following steps:
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. Select your instance (cross-acc-ec2-sns-publish-role), and then choose Actions, Security, Modify IAM role.
4. Select the IAM role that you created earlier to attach to your instance, and then choose Save.
Note: To troubleshoot issues connecting your instance to the internet with an internet gateway, see Why can't my Amazon EC2 instance connect to the internet using an internet gateway?
Configure the account with your SNS topic
1. Create an SNS topic with a name similar to the following name: cross-account-ec2-sns
2. Subscribe an endpoint to your topic that's based on your use case, and then confirm the subscription.
3. Add permissions to your SNS topic's access policy. The permissions must allow the EC2 IAM role to perform the Publish API operation for Amazon SNS.
To edit your SNS topic access policy and add the permissions, complete the following steps:
1. Open the Amazon SNS console.
2. On the navigation panel, choose Topics, and then choose the SNS topic that you want to publish to.
3. Choose the Access policy tab.
4. In the Details section of your topic page, choose Edit.
5. Expand the Access policy section, and then add permissions to allow the IAM role (cross-acc-ec2-sns-publish-role) of your EC2 instance to publish to the SNS topic. See the following example:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789012"
}
}
},
{
"Sid": "grant-65864586-publish",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/cross-acc-ec2-sns-publish-role"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns"
}
]
}
Note: Replace us-east-1:123456789012 with the relevant AWS Region and account ID. Also, replace 123456789012 and 111122223333 with the relevant user or account IDs.
6. Choose Save changes.
Test the configuration by publishing the notification from your EC2 instance
1. Log in to the account with your EC2 instance, and then connect to your EC2 instance. For Windows instances, see Connect to your Windows instance. For Linux instances, see Connect to your Linux instance.
2. Run the Amazon SNS Publish command in the EC2 terminal, and then monitor the response. You can use a test query in the AWS CLI, similar to the following example:
aws sns publish --topic-arn "arn:aws:sns:us-east-1:123456789012:cross-account-ec2-sns" --message "test" --region us-east-1
Note: Replace us-east-1:123456789012 with the relevant AWS Region and account ID.