# Jibe and Amazon SNS Jibe is able to receive messages from [Amazon SNS](https://docs.aws.amazon.com/sns/) and Amazon SQS to identify Amazon S3 objects that have been modified outside the Access Anywhere Server and sync them with Access Anywhere metadata. For a simpler configuration without Amazon SNS see [[/jibe/aws-sqs|Jibe and Amazon SQS]] For general information see [[/jibe]]. ## Overview In this scenario, Jibe connects to an Amazon SQS queue that subscribes to an Amazon SNS topic that receives S3 notification events. You'll need to use a topic and queue when you have non-Jibe consumers of S3 notifications. This configuration is also required to send messages across regions and recommended when sending messages across AWS accounts. {{ /jibe:aws-sns:aws-sns-arch.png?700 |}} Jibe can also process notifications from bucket replicas. ## Getting Started ### Access Anywhere Server Setup Jibe needs a Access Anywhere Server account with an Administrator role in order to synchronize objects. This does not need to be the Org Administator. ### Create Topic Create a topic in the region where your buckets are located. 1. Navigate to the [Amazon SNS > Topics](https://console.aws.amazon.com/sns/home#/topics). 2. Change regions to where your S3 buckets are located. 3. Create a Topic Complete the form * **Type** - Recommend 'Standard'. * **Name** - For example `jibe-source-activity` * **Access Policy** - Choose 'Basic' * Define who can publish messages to the topic - 'Only the topic owner' * Define who can subscribe to this topic - 'Only the topic owner' or 'Only the specified AWS accounts' (if you are creating the queue in another account) Select Save Record the ARN, for example arn:aws:sns:us-east-1:123456789021:jibe-source-activity ##### Topic Permissions Before Amazon S3 can publish messages to a topic, you must grant the Amazon S3 principal the necessary permissions. Replace the access policy attached to the topic with the following policy. In it, provide your SNS topic ARN, bucket name, and bucket owner's account ID. This example allows subscription to the topic by a second account. { "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "SNS topic policy", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "SNS:Publish" ], "Resource": "SNS-topic-ARN", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:*" }, "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id" } } }, { "Sid": "Access By Another Account", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::second-account-id:root" }, "Action": "SNS:Subscribe", "Resource": "arn:aws:sns:us-west-1:first-account-id:jibe-source-activity" } ] } ### Send S3 Events to SNS Topic Select a bucket to configure from the [S3 Management Console](https://s3.console.aws.amazon.com/s3/buckets). 1. Go to the **Properties** tab 2. Scroll to **Event notifications** 3. Select **Create event notification** Complete the page: 1. For **General configuration** give an Event name such as "Jibe events" 2. Complete **Event types** * All object create events - Enable * All object removal events - Enable 3. Complete **Destination** 4. Change **Destinationo** to **SNS Topic** 5. Select your topic from the drop-down If your topic is not available check you are in the same region. If you get this error there is a problem with granting Amazon S3 permissions to publish to your SNS Topic. Unable to validate the following destination configurations For more information see [Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html) ### Set up a Queue Create a "Standard" SQS Queue in the account and region where your EC2 instances are running. 1. Navigate to the [Amazon SQS > Queues](https://us-east-1.console.aws.amazon.com/sqs/v2/home#/queues). 2. Change the region to where your SNS topics are located. 3. Select **Create queue** 4. Complete Details section * **Type** of 'Standard' * **Name** or `jibe-source-activity` (for example) 5. Complete Configuration section * Visibility timeout - Enter 5 minutes * Message retention period - Enter 14 days * Delivery delay - Leave as 0 seconds * Maximum nessage size - Leave as 256 KB * Receive message wait time - Choose 20 seconds 6. Access Policy * Define who can send messages to the queue - leave as 'Only the queue owner' * Define who can receive messages from the queue - leave as 'Only the queue owner' 7. Select **Create queue** and record the QueueArn. ### Subscribe to Amazon SNS topic The next step creates a subscription from the queue to the topic. 1. With the queue you just created choose the tab **SNS subscriptions**. 2. Choose **Subscribe to Amazon SNS topic**. 3. From the drop down select "Enter Amazon SNS topic ARN" 4. Enter the ARN you copied earlier. 5. Select **Save**. ### AWS IAM Role If the SQS queue and EC2 instance where Jibe is running are in the same AWS account you can use a role to grant access instead of credentials. For example, create an IAM role called `JibeConsumeMessagesRole` with the following policy, replacing the Resource with an ARN filter that matches your account and queue. { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:GetQueueAttributes" ], "Resource": "arn:aws:sqs:*:410679986536:jibe-source-activity" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "sqs:ListQueues", "Resource": "*" } ] } Add the IAM role to your EC2 instance. You can do this from the instance detail page. Choose Actions > Security > Modify IAM Role. ### Jibe Setup Continue to set up Jibe as per the section **Jibe Setup** in [[/jibe/aws-sqs|Jibe and Amazon SQS]].