- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- Re: Anyone else having issue with CloudGuard Notif...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone else having issue with CloudGuard Notification not working with AWS China SNS Notification
Our AWS China SNS Notification apparently is not working in CloudGuard. We are using for remediation (CloudBots). Anyone else having the same issue? I did give the proper permissions to both the CloudGuard IAM user and the SNS topic.
- Labels:
-
CSPM AWS China
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello adamybsci,
I would suggest checking in AWS the Access Policy of the SNS Topic: d9-findings
There you have a JSON policy that specifies who can access that topic, and there will be a principal specified (defined with an AWS account number). That account number depends on where your CloudGuard CSPM platform resides regionally.
You need to make sure that the AWS account number set in the Access Policy is the same that you see in the IAM Role that you have created during your AWS onboarding.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already give the d9-findings the proper permission to the CloudGuard IAM User which has the appropriate SNS permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi adamybsci,
So can you confirm the Access Policy of the SNS topic has the same AWS account number that you see in the CloudGuard IAM Role used for the integration?
Even if the CloudGuard IAM Role has all the proper permission in place, the CloudGuard platform will need to call your SNS topic and this call will be matched against your SNS topic policy.
If you have deployed the CloudBot from the AWS CloudFormation it may be that you need to change the AWS number in order to match what your platform is using.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, we've done both of these two things you mentioned. Here is what it looks like today in our SNS Access Policy. I've given unlimited access to any AWS principals to Publish messages into the SNS topic.
{
"Version": "2012-10-17",
"Id": "D9DeliveryPolicy",
"Statement": [
{
"Sid": "D9DeliveryPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws-cn:sns:cn-north-1:1234567890:d9-findings"
}
]
}