What
To create a budget that sends notifications to an AWS SNS topic, the budget must have permissions to send and publish notifications to your topic. In this post, we will explore how to grant those budget permissions, a workaround to simple use email contacts.
In a previous post, while setting a budget alarm, I used an email contact as a notification method. But as I want to take advantage of the SNS topic that I already have, and I also wish to explore more options from AWS, this time, I want to use my SNS topic as notification for my budget.
Amazon Simple Notification Service (SNS)
Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and event-driven serverless applications. AWS provides SNS topics for high-throughput, push-based, many-to-many messaging.
A topic is a message channel. When you publish a message to a topic, it fans out the message to all subscribed endpoints. I already created a topic at the moment I created an AWS billing alert. Take a look at step 9 of this (other) post first. You can also create a new SNS topic following the instructions from AWS.
How
Again, I am using this post as a reference. Refer to step 8. (Step 3, under “Create a budget”).
From step 3, while creating a budget, you have the option to notify via Amazon SNS topic, for this, you need to copy and paste your SNS topic ARN. You can access and copy your ARN from here.
However, if you check the SNS option and simply paste your ARN, you’ll get the message below. By default, AWS budgets are not set to publish to SNS topics.
AWS Budget does not have permission to publish to this SNS topic. To grant publish permissions, please review the sample AWS Budget SNS topic policy statement.
Grant budgets permissions to SNS topics
- If you click on View the AWS Budget SNS topic policy statement, you’ll get the piece of code needed to edit your SNS topic policy. Copy this code, save it in notepad, and close this window.
- From the same page (step 3), click on Manage your SNS topics.
- On the Amazon SNS Dashboard, click on Topics, from the left menu. Or click on the number of the topics you have under the dashboard.
- Now, under Topics, click on the topic you want to grant the budget permissions. I only have one, for the moment, the one I created for CloudWatch.
Note: From here, you also see your ARN, which is needed for step 7 of this post.
- Under the selected Topic, click on Edit.
- Search and expand the option: Access policy - optional
Editing your code
- This will give you direct access to the JSON editor. From there, scroll down, and paste the SNS topic policy statement previously copied at the end of the code. Remember to add a comma (,) after the last brace (}). Also, you need to replace your SNS topic ARN under “Resource”.
Note: Probably this is the “difficult” part of this post. If you get an error when trying to apply saves, it’s almost sure you have an issue with the pasted code. Below, is my code as a reference. Remember to use your ARN.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:123456789101112:Default_CloudWatch_Alarms_Topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "424337963225"
}
}
},
{
"Sid": "AWSBudgets-notification-1",
"Effect": "Allow",
"Principal": {
"Service": "budgets.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789101112:Default_CloudWatch_Alarms_Topic"
}
]
}- Then, click on Save changes, at the end of the Edit page.
- If all is good, you’ll see the green Save changes message
- Now, return to Step 4 of Create a budget, and enter your ARN form the edited Topic. You should see a green check next to your SNS topic ARN box, indicating that we have successfully grated SNS permissions to publish on budgets.
After this configuration, you can continue with the creation of a budget alarm.
References:
https://mulcas.com/configure-an-aws-budget-alarm-to-control-your-account-costs/