SNS_TOPIC_CROSS_ACCOUNT

Question

See this in security hub:
"The finding is in a WARNING state. The SNS topic associated with this rule is owned by a different account. The current account cannot obtain the subscription information. The account that owns the SNS topic must grant to the current account the sns:ListSubscriptionsByTopic permission for the SNS topic."

Anyone have the correct json code I would need to add to the access policy? All accounts are under the same ORG, so can use that as a condition. I saw this post: https://github.com/aws-samples/aws-secure-environment-accelerator/issues/875

So, similar to this?
{
"Sid": "SNS-Cross-Acct",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:ListSubscriptionsByTopic",
"Resource": "*sns topic arn*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "*org-id*"
},
"StringLike": {
"aws:PrincipalArn": "*arn:aws:iam:::roleid/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub*"
}
}
}

Answer

the aws:PrincipalArn condition is too restrictive as it's trying to match an exact service role ARN. But the aws:PrincipalArn includes the account ID, which can vary if you have multiple accounts. You'd better use aws:SourceArn and set its value to the ARN of the Security Hub service role in the account where the SNS topic resides.

Second, the value of the Resource field should be the ARN of the SNS topic you want to grant access to. The ARN has the following format: arn:aws:sns:region:account-id:topicname.

SNS_TOPIC_CROSS_ACCOUNT

Relevant content