Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save tomislacker/60803e9e0082d05c431d117f897d89c6 to your computer and use it in GitHub Desktop.
Setting up a Public AWS SNS Topic

How to create a publicly-accessible SNS topic that sends messages when objects are added to a public Amazon S3 bucket.

1. Create something within AWS that triggers notifications.

In this case, that's an S3 bucket that is continually updated by the addition of new sensor data. For the purposes of this tutorial, we’ll use s3://noaa-nexrad-level2 – one of our NEXRAD on AWS buckets – as an example.

2. Create an SNS topic and appropriate policy.

The SNS topic should be in the same region as the bucket. It will need to have a policy that allows our S3 bucket to publish to it, and anyone to subscribe to it using Lambda or SQS.

We created an SNS topic named NewNEXRADLevel2Archive in our US East region, so its Amazon Resource Name (ARN) is arn:aws:sns:us-east-1:811054952067:NewNEXRADLevel2Archive.

Below is the policy we use for it. A few things to note:

  • The SNS policy needs to be able to reference its own ARN. S3 bucket policies are the same way.
  • The policy needs the ARN of the S3 bucket that is the source of notifications.
{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "allowS3BucketToPublish",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:811054952067:NewNEXRADLevel2Archive",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:noaa-nexrad-level2"
        }
      }
    },
    {
      "Sid": "allowOnlySQSandLambdaSubscription",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:811054952067:NewNEXRADLevel2Archive",
      "Condition": {
        "StringEquals": {
          "SNS:Protocol": ["sqs", "lambda"]
        }
      }
    }
  ]
}

3. List the SNS topic ARN as the destination for event notifications for our S3 bucket.

We do this by enabling notifications on the S3 bucket and pasting in the SNS ARN as the destination. You’ll get an error if the topic is in a different region than the bucket or if the topic’s policy doesn’t give permission for the bucket to publish to it.

Now you should be all set to subscribe to the SNS topic from any other AWS account using SQS or Lambda. When someone subscribes to your topic, you will see their AWS ID and the protocol they use to subscribe within the SNS section of your AWS console.

Controlling SNS Costs

In case you’re wondering why we limit subscriptions to SQS and Lambda, it’s because SNS isn't a free service, and publishing to email, http, and SMS all incur charges, while publishing to SQS and Lambda do not. We recommend limiting subscription protocols simply to be better able to manage and predict costs. This applies to us because the NEXRAD data is updated at a rapid pace (currently about a million new objects per day), however this probably won’t be a big issue at the municipal level.

The first million SNS requests per month are free and are 50¢ per million after that. Data transfer fees would also apply. More info on SNS pricing is at https://aws.amazon.com/sns/pricing/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment