How do I allow AWS accounts in my organization to publish messages to an Amazon SNS topic in my account?

Last updated: 2020-04-28

I want an Amazon Simple Notification Service (Amazon SNS) topic in my AWS account to accept messages published by any account in my organization in AWS Organizations. How do I set that up?

Short Description

Configure the SNS topic's access policy to allow any account in your organization to publish messages to the topic. In the access policy, include the global condition key aws:PrincipalOrgID and specify your organization's ID.

Resolution

1.    Find your organization's ID in the Organizations console. For more information, see Viewing details of an organization from the master account.

2.    Create a topic in the Amazon SNS console. Note the Amazon Resource Name (ARN) of your new topic.

3.    In the Amazon SNS console, edit the topic. On the Edit <topicName> page, expand Access policy - optional and paste the following example policy into the JSON editor:

Note: Replace snsTopicArn with the topic's ARN. Replace myOrgId with your organization's ID.

{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
        {
            "Sid": "allow-publish-from-organization-accounts",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "sns:Publish"
            ],
            "Resource": "snsTopicArn",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "myOrgId"
                }
            }
        }
    ]
}

Tip: To allow accounts in your organization to perform more Amazon SNS API actions (such as GetTopicAttributes), add actions under "Action" in the policy.

4.    Subscribe your email address to the SNS topic for testing. When creating the subscription, be sure to specify your topic's ARN.

5.    In your email, find the subscription confirmation message from AWS Notifications and confirm the subscription.

6.    Using any AWS account in your organization, publish a message to the SNS topic in your account. In the publish request, be sure to specify the topic's ARN.

If publication is successful, you receive the published message in your email.