feat: Added OrgId and SourceAccounts to SNS topic policy

Added OrgId and SourceAccounts to SNS topic policy

Author: obs-gh-justindaines

DEVELOPER.md

@@ -278,6 +278,8 @@ make test-integration-metricstream
 make test-integration-simple
 make test-integration-stack
 make test-integration-stack_including_metricspollerrole
+make test-integration-stack_with_org_id
+make test-integration-stack_with_source_accounts
 ```
 
 ### Debugging

apps/stack/template.yaml

@@ -31,6 +31,8 @@ Metadata:
           - ConfigDeliveryBucketName
           - IncludeResourceTypes
           - ExcludeResourceTypes
+          - OrgId
+          - SourceAccounts
       - Label:
           default: CloudWatch Logs
         Parameters:
@@ -215,6 +217,23 @@ Parameters:
       OpenTelemetry endpoint to send additional telemetry to.
     Default: ''
     AllowedPattern: "^(http(s)?:\/\/.*)?$"
+  OrgId:
+    Type: String
+    Description: >-
+      Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg
+      statement on the SNS topic that allows publishes by aws:PrincipalOrgID.
+      Useful for AWS Control Tower integrations.
+    Default: ''
+    AllowedPattern: '^(o-[a-z0-9]{10,32})?$'
+  SourceAccounts:
+    Type: CommaDelimitedList
+    Description: >-
+      List of AWS account IDs allowed to publish to the SNS topic via
+      AWS Config. Useful for sub-accounts in AWS Organizations and
+      Control Tower integrations. The current account ID is automatically
+      included when this list is non-empty.
+    Default: ''
+    AllowedPattern: '^\d*$'
 
 Conditions:
   EmptyConfigDeliveryBucketName: !Equals
@@ -269,6 +288,16 @@ Conditions:
     - !Equals
       - !Ref ObserveAwsAccountId
       - ""
+  HasOrgId: !Not
+    - !Equals
+      - !Ref OrgId
+      - ""
+  HasSourceAccounts: !Not
+    - !Equals
+      - !Join
+        - ','
+        - !Ref SourceAccounts
+      - ''
 Resources:
   Topic:
     Type: "AWS::SNS::Topic"
@@ -307,6 +336,40 @@ Resources:
               - "sns:Publish"
             Resource:
               - !Ref Topic
+          - !If
+            - HasOrgId
+            - Sid: "AllowAWSConfigFromOrg"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "aws:PrincipalOrgID": !Ref OrgId
+            - !Ref AWS::NoValue
+          - !If
+            - HasSourceAccounts
+            - Sid: "AllowAWSConfigFromSourceAccounts"
+              Effect: "Allow"
+              Principal:
+                Service:
+                  - "config.amazonaws.com"
+              Action:
+                - "SNS:Publish"
+              Resource:
+                - !Ref Topic
+              Condition:
+                StringEquals:
+                  "AWS:SourceAccount": !Split
+                    - ','
+                    - !Sub
+                      - '${Accounts},${AWS::AccountId}'
+                      - Accounts: !Join [',', !Ref SourceAccounts]
+            - !Ref AWS::NoValue
       Topics:
         - !Ref Topic
   Bucket:

docs/stack.md

@@ -32,6 +32,8 @@ The Observe stack provisions the following components:
 | `ConfigDeliveryBucketName` | String | If AWS Config is already enabled in this account and region, provide the S3 bucket snapshots are written to. |
 | `IncludeResourceTypes` | CommaDelimitedList | If AWS Config is not enabled in this account and region, provide a list of resource types to collect. Use a wildcard to collect all supported resource types. |
 | `ExcludeResourceTypes` | CommaDelimitedList | Exclude a subset of resource types from configuration collection. This parameter can only be set if IncludeResourceTypes is wildcarded. |
+| `OrgId` | String | Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg statement on the SNS topic that allows publishes by aws:PrincipalOrgID. Useful for AWS Control Tower integrations. |
+| `SourceAccounts` | CommaDelimitedList | List of AWS account IDs allowed to publish to the SNS topic via AWS Config. Useful for sub-accounts in AWS Organizations and Control Tower integrations. The current account ID is automatically included when this list is non-empty. |
 | `LogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. If not empty, the lambda function will only apply to log groups that have names that match one of the provided strings based on a case-sensitive substring search. |
 | `LogGroupNamePrefixes` | CommaDelimitedList | Comma separated list of prefixes. If not empty, the lambda function will only apply to log groups that start with a provided string. |
 | `ExcludeLogGroupNamePatterns` | CommaDelimitedList | Comma separated list of patterns. This paramter is used to filter out log groups from subscription, and supports the use of regular expressions. |

integration/modules/get_org_id/main.tf

@@ -0,0 +1,4 @@
+data "aws_organizations_organization" "current" {}
+
+data "aws_caller_identity" "current" {}
+

integration/modules/get_org_id/outputs.tf

@@ -0,0 +1,10 @@
+output "org_id" {
+  description = "AWS Organizations ID"
+  value       = data.aws_organizations_organization.current.id
+}
+
+output "account_id" {
+  description = "AWS Account ID"
+  value       = data.aws_caller_identity.current.account_id
+}
+

integration/scripts/check_sns_topic_policy

@@ -0,0 +1,82 @@
+#!/bin/bash
+set -euo pipefail
+
+DIE() { echo "$*" 1>&2; exit 1; }
+
+[[ ! -z "${TOPIC_ARN:-}" ]] || DIE "TOPIC_ARN not set"
+[[ ! -z "${CHECK_TYPE:-}" ]] || DIE "CHECK_TYPE not set"
+
+echo "Fetching SNS topic policy for ${TOPIC_ARN}"
+POLICY=$(aws sns get-topic-attributes \
+  --topic-arn "${TOPIC_ARN}" \
+  --query 'Attributes.Policy' \
+  --output text ${OPTS:-})
+
+[[ ! -z "${POLICY}" ]] || DIE "Failed to fetch topic policy"
+
+echo "Policy retrieved successfully"
+
+case "${CHECK_TYPE}" in
+  org_id)
+    [[ ! -z "${EXPECTED_ORG_ID:-}" ]] || DIE "EXPECTED_ORG_ID not set for org_id check"
+    echo "Checking for aws:PrincipalOrgID condition with value: ${EXPECTED_ORG_ID}"
+    
+    # Check if the policy contains the expected org ID
+    if echo "${POLICY}" | jq -e --arg org_id "${EXPECTED_ORG_ID}" \
+      '.Statement[] | select(.Sid == "AllowAWSConfigFromOrg") | .Condition.StringEquals."aws:PrincipalOrgID" == $org_id' > /dev/null; then
+      echo "✓ Found correct aws:PrincipalOrgID condition"
+      exit 0
+    else
+      echo "✗ aws:PrincipalOrgID condition not found or incorrect"
+      echo "Policy:"
+      echo "${POLICY}" | jq '.'
+      exit 1
+    fi
+    ;;
+    
+  source_accounts)
+    [[ ! -z "${EXPECTED_ACCOUNT_IDS:-}" ]] || DIE "EXPECTED_ACCOUNT_IDS not set for source_accounts check"
+
+    # Build the full list of expected accounts (including current account if provided)
+    EXPECTED_ACCOUNTS="${EXPECTED_ACCOUNT_IDS}"
+    if [[ ! -z "${CURRENT_ACCOUNT_ID:-}" ]]; then
+      EXPECTED_ACCOUNTS="${EXPECTED_ACCOUNTS},${CURRENT_ACCOUNT_ID}"
+    fi
+
+    echo "Checking for AWS:SourceAccount condition with accounts: ${EXPECTED_ACCOUNTS}"
+
+    # Check if the policy contains the SourceAccount condition
+    if echo "${POLICY}" | jq -e '.Statement[] | select(.Sid == "AllowAWSConfigFromSourceAccounts")' > /dev/null; then
+      echo "✓ Found AllowAWSConfigFromSourceAccounts statement"
+
+      # Verify the condition exists
+      SOURCE_ACCOUNTS=$(echo "${POLICY}" | jq -r '.Statement[] | select(.Sid == "AllowAWSConfigFromSourceAccounts") | .Condition.StringEquals."AWS:SourceAccount" | if type == "array" then .[] else . end' | sort | tr '\n' ',' | sed 's/,$//')
+
+      echo "Found source accounts: ${SOURCE_ACCOUNTS}"
+      echo "Expected accounts: ${EXPECTED_ACCOUNTS}"
+
+      # Split expected accounts and check each one is present
+      IFS=',' read -ra EXPECTED_ARRAY <<< "${EXPECTED_ACCOUNTS}"
+      for account in "${EXPECTED_ARRAY[@]}"; do
+        if echo "${SOURCE_ACCOUNTS}" | grep -q "${account}"; then
+          echo "✓ Found account ${account}"
+        else
+          echo "✗ Account ${account} not found in policy"
+          exit 1
+        fi
+      done
+
+      exit 0
+    else
+      echo "✗ AllowAWSConfigFromSourceAccounts statement not found"
+      echo "Policy:"
+      echo "${POLICY}" | jq '.'
+      exit 1
+    fi
+    ;;
+    
+  *)
+    DIE "Unknown CHECK_TYPE: ${CHECK_TYPE}. Must be 'org_id' or 'source_accounts'"
+    ;;
+esac
+