0

beginner question here. I would like to publish events from AWS Config service to the SNS topic - encrypted. I already publish to SNS from various services, but in case of these, it is possible to use service principal in my Customer Managed Key statement. So my CMK yml section looks like this

            Statement:
              - Effect: Allow
                Principal:
                    Service:
                      - sns.amazonaws.com
                      - cloudtrail.amazonaws.com
                      - cloudwatch.amazonaws.com
                Action:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:ReEncrypt*
                  - kms:GenerateDataKey*
                Resource: "*"

I know that in order to publish from AWS Config, I cannot use service principal. In documentation, I read

Other Amazon SNS event sources require you to provide an IAM role, as opposed to their service principal, in the KMS key policy.

But there is no example how this IAM role should be provided. Is it something like this?

               Principal:
                    Service:
                      - sns.amazonaws.com
                      - cloudtrail.amazonaws.com
                      - cloudwatch.amazonaws.com
                    AWS:
                      - Role IAM

Also, I am not sure how this role shall look like. I can create a role which can publish to SNS and add it to CMK, but how can I link it to AWS Config and make sure this role is used to publish events? Could someone advice what should this role contain? Thanks a lot

Jozef
  • 479
  • 1
  • 9
  • 36

1 Answers1

0

From docsL:

If you create or update a role with the console, AWS Config attaches the AWSConfigRole for you.

In my case, as I checked what I have, the full arn of the role is:

arn:aws:iam::xxxxx:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

Therefore, in your CFN, the following can be tried:

Principal:
    Service:
      - sns.amazonaws.com
      - cloudtrail.amazonaws.com
      - cloudwatch.amazonaws.com
    AWS:
      - !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"

Prior to this, you can check if the AWSServiceRoleForConfig actually exist for you.

Marcin
  • 215,873
  • 14
  • 235
  • 294