1

how to modify the sns topic policy to permission to access to aws inspector in us-east-1?Assessment Templates has no permission to sns topic. I got this error:

The Inspector Account was denied access to the requested topic Grant account xxxxxxxxx permission to publish to the topic arn:aws:sns:us-east-1:xxxxxxxx:inspector

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:xxxxxxxx:inspector",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "xxxxxxxxx"
        }
      }
    }
  ]
}
Pzowghi
  • 15
  • 4

3 Answers3

1

I have removed the condition block

"Condition": { "StringEquals": { "AWS:SourceOwner": "xxxxxxxxx" } }

Now works for me.

Sarath kumar S
  • 61
  • 1
  • 4
  • Having this similar error but the odd part is the account number listed isn't even one of our accounts. 3161********. Very odd. I removed the IAM SNS condition you mentioned and it still did not work. – tavor999 Aug 14 '19 at 15:09
1

This link on AWS has exactly what you need to do:

To set up an SNS topic for notifications

Create an SNS topic. See Tutorial: Creating an Amazon SNS Topic. When you create the topic, expand the Access policy - optional section. Then do the following to permit the assessment to send messages to the topic:

For Choose method, choose Basic.

For Define who can publish messages to the topic, choose Only the specified AWS accounts, and then enter the ARN for the account in the Region that you're creating the topic in:

US East (Ohio) - arn:aws:iam::646659390643:root

US East (N. Virginia) - arn:aws:iam::316112463485:root

US West (N. California) - arn:aws:iam::166987590008:root

US West (Oregon) - arn:aws:iam::758058086616:root

Asia Pacific (Mumbai) - arn:aws:iam::162588757376:root

Asia Pacific (Seoul) - arn:aws:iam::526946625049:root

Asia Pacific (Sydney) - arn:aws:iam::454640832652:root

Asia Pacific (Tokyo) - arn:aws:iam::406045910587:root

Europe (Frankfurt) - arn:aws:iam::537503971621:root

Europe (Ireland) - arn:aws:iam::357557129151:root

Europe (London) - arn:aws:iam::146838936955:root

Europe (Stockholm) - arn:aws:iam::453420244670:root

AWS GovCloud (US-East) - arn:aws-us-gov:iam::206278770380:root

AWS GovCloud (US-West) - arn:aws-us-gov:iam::850862329162:root

For Define who can subscribe to this topic, choose Only the specified AWS accounts, and then enter the ARN for the account in the Region that you're creating the topic in.

contactmatt
  • 16,706
  • 35
  • 116
  • 175
1

Add this to your SNS access policy. It worked for me.

Note: My AWS Inspector is configured in Oregon so that I am using "arn:aws:iam::758058086616:root"

Reference.

And my SNS topic is already in the Oregon region.

{
  "Sid": "CustomInspectorPolicy",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::758058086616:root"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-west-2:<YOUR AWS ACCOUNT NO>:<YOUR SNS TOPIC>"
}
janw
  • 5,204
  • 5
  • 24
  • 43
jaleel
  • 31
  • 1
  • 3