amazon-web-servicesaws-cloudformationamazon-iamamazon-snsamazon-systems-manager

Configuring SNS Topic notification IAM Role in Maintenance Window tasks


I currently have an AWS Maintenance Window set up in order to keep certain things up to date across some EC2 instances. I want to set up a SNS Topic to email me when one of the tasks fails to run correctly. So far I have the following Cloudformation template, which deploys fine:

   MaintenanceWindowTask1:
    Type: AWS::SSM::MaintenanceWindowTask
    Properties:
      Name: UpdateSSMAgent
      WindowId: !Ref MaintenanceWindow
      Targets:
        - Key: TargetIds
          Values:
            - !Ref MaintenanceWindowTarget
      TaskArn: UpdateSSMAgent
      TaskType: RUN_COMMAND
      TaskInvocationParameters:
        MaintenanceWindowRunCommandParameters:
          Parameters:
            version:
              - "{{ssm:/ssm-version}}"
            allowDowngrade:
              - "true"
          NotificationConfig:
            NotificationArn: !Ref SnsTopic
            NotificationEvents:
              - Failed
            NotificationType: Command
      Priority: 1
      MaxConcurrency: 100%
      MaxErrors: 1

The issue with this is that I have no Notification IAM Role defined in the CFN stack, so the topic can't be published.

I can't for the life of me find any documentation on what the appropriate definition should be and I don't want to set the IAM Role the SNS Topic uses via the console.

Does anybody have a solution or know the correct CFN definition for a SNS notification IAM Role?


Solution

  • The SNS role should be passsed using ServiceRoleArn. What it should be is shown in AWS docs:

    In CloudFormation, the role would be:

    SMMSNSRole:
      Type: 'AWS::IAM::Role'
      Properties:
        AssumeRolePolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal:
                Service:
                - ssm.amazonaws.com
              Action:
                - 'sts:AssumeRole'
        Path: /
        Policies:
          - PolicyName: PublishToSNS
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action: 'sns:Publish'
                  Resource: '*'
    

    Alternatively, you can create the role in AWS console, inspect it in IAM console to see what exactly it is, and re-create it in the CloudFormation.

    Update:

    In your code:

       MaintenanceWindowTask1:
        Type: AWS::SSM::MaintenanceWindowTask
        Properties:
          Name: UpdateSSMAgent
          WindowId: !Ref MaintenanceWindow
          Targets:
            - Key: TargetIds
              Values:
                - !Ref MaintenanceWindowTarget
          TaskArn: UpdateSSMAgent
          TaskType: RUN_COMMAND
          TaskInvocationParameters:
            MaintenanceWindowRunCommandParameters:
              Parameters:
                version:
                  - "{{ssm:/ssm-version}}"
                allowDowngrade:
                  - "true"
              ServiceRoleArn: !GetAtt SMMSNSRole.Arn  
              NotificationConfig:
                NotificationArn: !Ref SnsTopic
                NotificationEvents:
                  - Failed
                NotificationType: Command
          Priority: 1
          MaxConcurrency: 100%
          MaxErrors: 1