I'm trying to configure several AWS accounts to log CloudTrail to a central logging account, from which the logs will be brought into Splunk. In order to do this, I need to configure CloudTrail on each source AWS account to log to an S3 bucket in the central logging account, and also to notify an SNS topic in the central logging account (the SNS topic is necessary for Splunk to know that there are new log events to consume).
I found instructions for configuring the SNS topic policy on this page: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-permissions-for-sns-notifications.html
Specifically:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailSNSPolicy20131101",
"Effect": "Allow",
"Principal": {Service": "cloudtrail.amazonaws.com"},
"Action": "SNS:Publish",
"Resource": arn:aws:sns:us-east-1:123456789012:myTopic"
}]
}
I replaced the value of the resource attribute with the ARN for my SNS topic, and applied this policy to that topic. This policy successfully allowed CloudTrail on my other accounts to notify the SNS topic in the central logging account. My question is how do I handle restricting the source accounts in this policy? It seems as if anybody who had the ARN for my SNS topic could configure CloudTrail on their account to notify my SNS topic.
I've tried several things including using conditions, and changing the principal from the CloudTrail service to specific AWS account numbers. So far everything I've tried has broken the ability for CloudTrail to notify the SNS topic.
