How do I allow AWS accounts in my organization to publish messages to an Amazon SNS topic in my account?

Last updated: 2021-02-17

I want an Amazon Simple Notification Service (Amazon SNS) topic to accept messages from any AWS account in my organization in AWS Organizations. How do I set that up?

Short description

Configure the Amazon SNS topic's access policy to allow any account in your organization to publish messages to the topic. In the access policy, include the global condition key, aws:PrincipalOrgID, and specify your organization's ID.

Resolution

1.    Find your organization's ID in the Organizations console . For more information, see Viewing details of an organization from the management account.

2.    Create a topic in the Amazon SNS console. Note the Amazon Resource Name (ARN) of your new topic.

3.    In the Amazon SNS console, edit the topic. On the Edit <topicName> page, expand Access policy -optional and paste the following example policy into the JSON editor:

Important: Replace snsTopicArn with the topic's ARN. Then, replace myOrgId with your organization's ID.

{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
        {
            "Sid": "allow-publish-from-organization-accounts",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "sns:Publish"
            ],
            "Resource": "snsTopicArn",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "myOrgId"
                }
            }
        }
    ]
}

Tip: To allow accounts in your organization to perform more Amazon SNS API actions (such as GetTopicAttributes), add actions under "Action" in the policy.

4.    Subscribe your email address to the SNS topic for testing. When creating the subscription, make sure that you specify your topic's ARN.

5.    In your email, find the subscription confirmation message from AWS Notifications and confirm the subscription.

6.    Using any AWS account in your organization, publish a message to the SNS topic in your account. In the publish request, make sure that you specify the topic's ARN.

You will receive the published message in your email.