- Advertisement -
HomeCloudAWSSetting up SNS topic permissions for AWS budget alarms

Setting up SNS topic permissions for AWS budget alarms

What

To create a budget that sends notifications to an AWS SNS topic, the budget must have permissions to send and publish notifications to your topic. In this post, we will explore how to grant those budget permissions, a workaround to simple use email contacts. 

In a previous post, while setting a budget alarm, I used an email contact as a notification method. But as I want to take advantage of the SNS topic that I already have, and I also wish to explore more options from AWS, this time, I want to use my SNS topic as notification for my budget.

Amazon Simple Notification Service (SNS)

Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and event-driven serverless applications. AWS provides SNS topics for high-throughput, push-based, many-to-many messaging.

A topic is a message channel. When you publish a message to a topic, it fans out the message to all subscribed endpoints. I already created a topic at the moment I created an AWS billing alert. Take a look at step 9 of this (other) post first. You can also create a new SNS topic following the instructions from AWS.

How

Again, I am using this post as a reference. Refer to step 8. (Step 3, under “Create a budget”).

- Advertisement -

From step 3, while creating a budget, you have the option to notify via Amazon SNS topic, for this, you need to copy and paste your SNS topic ARN. You can access and copy your ARN from here

However, if you check the SNS option and simply paste your ARN, you’ll get the message below. By default, AWS budgets are not set to publish to SNS topics.

AWS Budget does not have permission to publish to this SNS topic. To grant publish permissions, please review the sample AWS Budget SNS topic policy statement.

mulcas-AWS-budget

Grant budgets permissions to SNS topics

  1. If you click on View the AWS Budget SNS topic policy statement, you’ll get the piece of code needed to edit your SNS topic policy. Copy this code, save it in notepad, and close this window. 
mulcas-AWS-budget-SNS
  1. From the same page (step 3), click on Manage your SNS topics.
mulcas-AWS-manage-SNS
  1. On the Amazon SNS Dashboard, click on Topics, from the left menu. Or click on the number of the topics you have under the dashboard. 
mulcas-AWS-SNS-topic
  1. Now, under Topics, click on the topic you want to grant the budget permissions. I only have one, for the moment, the one I created for CloudWatch.

Note: From here, you also see your ARN, which is needed for step 7 of this post.

mulcas-AWS-SNS-ARN
  1. Under the selected Topic, click on Edit.
mulcas-AWS-SNS-edit-topic
  1. Search and expand the option: Access policy - optional
mulcas-AWS-SNS-Access-Policy

Editing your code

  1. This will give you direct access to the JSON editor. From there, scroll down, and paste the SNS topic policy statement previously copied at the end of the code. Remember to add a comma (,) after the last brace (}). Also, you need to replace your SNS topic ARN under “Resource”

Note: Probably this is the “difficult” part of this post. If you get an error when trying to apply saves, it’s almost sure you have an issue with the pasted code. Below, is my code as a reference. Remember to use your ARN.

- Advertisement -
{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789101112:Default_CloudWatch_Alarms_Topic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "424337963225"
        }
      }
    },
	{
	"Sid": "AWSBudgets-notification-1",
	"Effect": "Allow",
	"Principal": {
	  "Service": "budgets.amazonaws.com"
	},
	"Action": "SNS:Publish",
	"Resource": "arn:aws:sns:us-east-1:123456789101112:Default_CloudWatch_Alarms_Topic"
	}
  ]
}
  1. Then, click on Save changes, at the end of the Edit page.
  2. If all is good, you’ll see the green Save changes message
mulcas-AWS-SNS-edit
  1. Now, return to Step 4 of Create a budget, and enter your ARN form the edited Topic. You should see a green check next to your SNS topic ARN box, indicating that we have successfully grated SNS permissions to publish on budgets.
mulcas-AWS-budget-SNS

After this configuration, you can continue with the creation of a budget alarm.

References:

https://mulcas.com/configure-an-aws-budget-alarm-to-control-your-account-costs/

Amazon Simple Notification Service

Juan Mulford
Juan Mulford
I have been active in IT for over fourteen years now. I am a solutions architect, working with storage, virtualization, and VDI solutions. For the past ten years, I have been living and working in Taiwan.

Leave a Reply

- Advertisement -

Popular Articles

mulcas.com-Raspberry-Pi

Raspberry Pi OS in a Virtual Machine with VMware

4
Although the Raspberry Pi OS is designed and optimized for the Raspberry Pi module, it is possible to test and use it without its hardware, with VMware. This solution can be useful if you are a developer (or just a curious guy) and don't have a Raspberry Pi module with you
Unable to delete inaccessible datastore

Unable to delete an "inaccessible" datastore

4
I was switching my storage array, so I migrated the VMs from that old datastore/storage to a new datastore/storage. The old datastore was shared by 3 ESXi hosts, no cluster. After migrating the VMs and unmount/delete the datastore, it was still presented in two of the ESXi hosts and was marked as inaccessible.
mulcas.com-VMware-OVF-Tool

How to export a Virtual Machine using the VMware OVF Tool

8
The VMware OVF Tool is implemented by VMware for easily importing and exporting virtual machines in Open Virtualization Format (OVF) standard format. Here, I want to show you how to download and install it, and then how to use it from a Windows machine.
This is not a valid source path / URL

This is not a valid source path / URL - SourceTree and Gitlab

0
I have been working on a project with a friend who set up a repository in Gitlab but even though I was able to view all projects on it, I couldn’t really join the repository. I was using SourceTree and Gitlab.
WinSCP VCSA

Unable to Access the VCSA 6.7 via WinSCP

9
One of the many and easiest ways to get the logs from the ESXi hosts and vCenter Server Appliance (VCSA), is accessing directly to the files directory using tools such as WinSCP, which helps to transfer the files between a local and a remote computer ( Ex. VCSA). I never have had issues with the ESXi hosts and WinSCP, however, trying to access the VCSA is a different story.
- Advertisement -

Recent Comments