From b2697078cf3a56a02aa2c665bdcb2d6ca923aff4 Mon Sep 17 00:00:00 2001
From: Stefan Wessels Beljaars <swesselsbeljaars@schubergphilis.com>
Date: Tue, 2 Jan 2024 12:19:55 +0100
Subject: [PATCH] Updates SNS topic LandingZone-IAMActivity's policy so it only
 allows publishing from the core-mangement account and adds policy to prevent
 error "loading the SNS subscriptions for topics" when viewing corresponding
 active CloudWatch alarms

Signed-off-by: Stefan Wessels Beljaars <swesselsbeljaars@schubergphilis.com>
---
 files/sns/iam_activity_topic_policy.json.tpl | 18 ++++++++++++++++--
 iam_activity_logging.tf                      |  3 ++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/files/sns/iam_activity_topic_policy.json.tpl b/files/sns/iam_activity_topic_policy.json.tpl
index 3ad3daf..d259039 100644
--- a/files/sns/iam_activity_topic_policy.json.tpl
+++ b/files/sns/iam_activity_topic_policy.json.tpl
@@ -21,17 +21,31 @@
       "Resource": "${sns_topic}",
       "Condition": {
         "StringEquals": {
-          "AWS:SourceOwner": "${account_id}"
+          "AWS:SourceOwner": "${audit_account_id}"
         }
       }
     },
     {
-      "Sid": "__services_allowed_publish",
+      "Sid": "AllowServicesToPublishFromMgmtAccount",
       "Effect": "Allow",
       "Principal": {
         "Service": ${services_allowed_publish}
       },
       "Action": "sns:Publish",
+      "Resource": "${sns_topic}",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceAccount": "${mgmt_account_id}"
+        }
+      }
+    },
+    {
+      "Sid": "AllowMgmtMasterToListSubcriptions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${mgmt_account_id}:root"
+      },
+      "Action": "sns:ListSubscriptionsByTopic",
       "Resource": "${sns_topic}"
     }
     %{ if length(security_hub_roles) > 0 ~}
diff --git a/iam_activity_logging.tf b/iam_activity_logging.tf
index 71bb1fe..bdb1f1a 100644
--- a/iam_activity_logging.tf
+++ b/iam_activity_logging.tf
@@ -16,7 +16,8 @@ resource "aws_sns_topic_policy" "iam_activity" {
   arn = aws_sns_topic.iam_activity[0].arn
 
   policy = templatefile("${path.module}/files/sns/iam_activity_topic_policy.json.tpl", {
-    account_id               = data.aws_caller_identity.audit.account_id
+    audit_account_id         = data.aws_caller_identity.audit.account_id
+    mgmt_account_id          = data.aws_caller_identity.management.account_id
     services_allowed_publish = jsonencode("cloudwatch.amazonaws.com")
     sns_topic                = aws_sns_topic.iam_activity[0].arn