You’ve got a SNS topic in Account A and you wish to subscribe a Lambda function to this topic in Account B.
Setting this up requires configuration on both account sides with resource-based permission policies being applied to SNS in one account and Lambda in the other.
In other words, you’ll need to setup the permissions for SNS and Lambda to allow both subscription and invocation.
You should already have your SNS topic in Account A and a suitable Lambda function subscriber in Account B. For example:
- Account A Id: 5556667778 (SNS topic lives here)
- Account B Id: 12345678901 (Lambda function lives here)
Configure SNS topic in Account A to allow Subscriptions from Account B
Use the AWS CLI to add a resource-based permission policy to the SNS topic (using it’s ARN). This will allow the Receive and Subscribe actions from Account B.
aws sns add-permission \ --topic-arn "arn:aws:sns:us-east-1:5556667778:cross-account-topic" \ --label "AllowSubscriptionFromAccountB" \ --aws-account-id "12345678901" \ --action-name "Receive" "Subscribe"
Configure the Lambda function in Account B to allow invocation from the SNS topic in Account A
Next, add a resource-based permission policy to your Lambda function in Account B. This policy will effectively allow the specific SNS topic in Account A to invoke the Lambda function.
It’s always good practice to follow the principle of least privilege (POLP). In this case you’re only allowing the specific SNS topic in one account to invoke the specific Lambda function you’re adding the policy to.
aws lambda add-permission \ --function-name "cross-account-lambda-subscriber" \ --statement-id "AllowInvokeFromExampleSns" \ --principal "sns.amazonaws.com" \ --action "lambda:InvokeFunction" \ --source-arn "arn:aws:sns:us-east-1:5556667778:cross-account-topic"
Subscribe the Lambda function in Account B to the SNS topic in Account A
Of course you’ll need to actually subscribe the Lambda function to the SNS topic. From Account B (where your Lambda function is setup), run the following command to subscribe it to the SNS topic in Account A.
aws sns subscribe \ --topic-arn "arn:aws:sns:us-east-1:5556667778:cross-account-topic" \ --protocol "lambda" \ --notification-endpoint "arn:aws:lambda:us-east-1:12345678901:function:cross-account-lambda-subscriber"
Send a test message to your SNS topic and you should see the Lambda function process the message in the other account.
If you need to diagnose anything, remember to check Lambda CloudWatch monitoring logs, or use the SNS Delivery Status feature.
That’s all there is to setting up SNS to Lambda cross account permissions.