Recently, our payment service is building with serverless Event-Driven Architecture with SNS, SQS, and lambda function, this will support the Event callback with core payment event service (the following will show as core event service), and this core event service are integration muli-purchase 3rd vendor to one interface.

When a user has subscriptions behavior in our platform, each action send to 3rd party vendor, the 3rd party vendor will create an Event to core event service, and the core event service send the callbacks Event to project payment service’s SNS, for the final process, project service need provide a cross VPC account access SNS grants to core Event service:

3rd vendor --(callback event)--> core event service --(callback event)--> project

Following is how to grant the public SNS message permission for Corp’s AWS Account:

Create SNS Topic

Create an SNS Topic (Standard) and will create an SNS Amazon Resource Name (ARN).

External AWS Account can publish an Event message to this SNS topic by SNS ARN.

Create IAM Role

Create an IAM Role permission like the following, which can publish messages to SNS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "*"
        }
    ]
}

Next is setting the trust policy, first is setting the Principal tag to specify a resource that can allow to access this policy (Resource-base policies), next is using ExternalId to grant 3rd party can access our resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{{ External AWS Account IAM role }}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{{Unique ID assign for external Account}}"
                }
            }
        }
    ]
}

Finally, should provide the SNS topic arn, IAM Role arn, and the ExternalId to our core service to grant the permission to publish the SNS topic to our project payment service.

Reference

Providing access to AWS accounts owned by third parties

How to use an external ID when granting access to your AWS resources to a third party

Identity-based policies and resource-based policies