TechQA.

Configuring SNS Topic notification IAM Role in Maintenance Window tasks

1k views Asked by At

I currently have an AWS Maintenance Window set up in order to keep certain things up to date across some EC2 instances. I want to set up a SNS Topic to email me when one of the tasks fails to run correctly. So far I have the following Cloudformation template, which deploys fine:

   MaintenanceWindowTask1:
    Type: AWS::SSM::MaintenanceWindowTask
    Properties:
      Name: UpdateSSMAgent
      WindowId: !Ref MaintenanceWindow
      Targets:
        - Key: TargetIds
          Values:
            - !Ref MaintenanceWindowTarget
      TaskArn: UpdateSSMAgent
      TaskType: RUN_COMMAND
      TaskInvocationParameters:
        MaintenanceWindowRunCommandParameters:
          Parameters:
            version:
              - "{{ssm:/ssm-version}}"
            allowDowngrade:
              - "true"
          NotificationConfig:
            NotificationArn: !Ref SnsTopic
            NotificationEvents:
              - Failed
            NotificationType: Command
      Priority: 1
      MaxConcurrency: 100%
      MaxErrors: 1

The issue with this is that I have no Notification IAM Role defined in the CFN stack, so the topic can't be published.

I can't for the life of me find any documentation on what the appropriate definition should be and I don't want to set the IAM Role the SNS Topic uses via the console.

Does anybody have a solution or know the correct CFN definition for a SNS notification IAM Role?

amazon-web-services aws-cloudformation amazon-iam amazon-sns amazon-systems-manager
Original Q&A
1

There are 1 answers

3
Marcin On BEST ANSWER

The SNS role should be passsed using ServiceRoleArn. What it should be is shown in AWS docs:

In CloudFormation, the role would be:

SMMSNSRole:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Principal:
            Service:
            - ssm.amazonaws.com
          Action:
            - 'sts:AssumeRole'
    Path: /
    Policies:
      - PolicyName: PublishToSNS
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action: 'sns:Publish'
              Resource: '*'

Alternatively, you can create the role in AWS console, inspect it in IAM console to see what exactly it is, and re-create it in the CloudFormation.

Update:

In your code:

   MaintenanceWindowTask1:
    Type: AWS::SSM::MaintenanceWindowTask
    Properties:
      Name: UpdateSSMAgent
      WindowId: !Ref MaintenanceWindow
      Targets:
        - Key: TargetIds
          Values:
            - !Ref MaintenanceWindowTarget
      TaskArn: UpdateSSMAgent
      TaskType: RUN_COMMAND
      TaskInvocationParameters:
        MaintenanceWindowRunCommandParameters:
          Parameters:
            version:
              - "{{ssm:/ssm-version}}"
            allowDowngrade:
              - "true"
          ServiceRoleArn: !GetAtt SMMSNSRole.Arn  
          NotificationConfig:
            NotificationArn: !Ref SnsTopic
            NotificationEvents:
              - Failed
            NotificationType: Command
      Priority: 1
      MaxConcurrency: 100%
      MaxErrors: 1

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-CLOUDFORMATION

Related Questions in AMAZON-IAM

Related Questions in AMAZON-SNS

Related Questions in AMAZON-SYSTEMS-MANAGER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions