我在帐户“A”中有一个SNS主题，该帐户是同一帐户中Lambda功能的触发器。此Lambda函数将消息发送到专用Slack通道。允许CloudWatch警报发送到其他帐户中的SNS

只要CloudWatch警报在同一个帐户（帐户A）中，此方法就可以正常工作。

但我也想从“帐户B”做到这一点，但我得到：

{ 
    "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "actionState": "Failed", 
    "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "stateUpdateTimestamp": 1495732611020, 
    "publishedMessage": null 
} 

那么，如何让CloudWatch的警报ARN访问发布的话题？与

尝试添加的政策失败：

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725) 

我看到别人有/有同样的问题（年前！）在https://forums.aws.amazon.com/thread.jspa?threadID=143607，但它从来没有回答。

更新：

试图解决这个问题，我现在正在尝试使用本地SNS的主题，然后将其发送至删除帐户。不过，我仍然得到：

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 

这，这个SNS政策：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "AllowLambdaAccountToSubscribe", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root" 
     }, 
     "Action": [ 
     "sns:Subscribe", 
     "sns:Receive" 
     ], 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 
    }, 
    { 
     "Sid": "AllowLocalAccountToPublish", 
     "Effect": "Allow", 
     "Principal": "*", 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "StringEquals": { 
      "AWS:SourceAccount": "LOCAL_ACCOUNT" 
     } 
     } 
    } 
    ] 
} 

如果我手动将消息发送到与话题发表主题，我可以看到，它会达到Lambda函数，因此除了CloudWatch访问权限之外的所有内容。