# AWS SNS event configuration tutorial
This article steps you through configuring Amazon Web Services (AWS) for Pismo event notification delivery. This configuration requires you to create two things in AWS:
1. **Simple Notification Service (SNS) topic:** SNS is a managed service that provides message delivery from publishers to subscribers. Publishers communicate asynchronously with subscribers by sending messages to a *topic*, which is a logical access point and communication channel.
2. **Identity and Access Management (IAM) role:** An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
For this tutorial, you need:
* An AWS account
* Your Pismo Org ID (also known as tenant ID)
* AWS data account ID (from Pismo)
# Configure AWS for Pismo event notifications
1. Log in to Amazon Web Services with your AWS account.
2. Go to the Amazon SNS dashboard (search for `SNS`).
3. In the sidebar, click **Topics**.
4. Create a new topic:
* Click **Create topic**.
* Make sure you click **Standard** as the type. This should come up as the default.
* Under **Name**, enter your topic's name.
* Click **Create Topic**.
* In the page that appears, note the **ARN** (Amazon Resource Name) field.
5. Go to the IAM dashboard. (Type **IAM**\ in **Search** and it appears.)
6. In the sidebar, under **Access Management**, click **Policies**.
7. Select **Create policy** in the upper-right.
8. Click the **JSON** tab and enter the following:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:us-east-1::"
]
}
]
}
```
7. Click **Next:Tags**.
8. Click **Next:Review** and enter the policy name in the **Name** field.
9. Click **Create policy**.
10. Return to the IAM dashboard page.
11. In the sidebar, click **Roles** under **Access Management**.
12. Click **Create role**.
13. Select **AWS account**, then click **Next**.
14. On the page that displays, select the policy you just created and click **Next**.
15. On the **Name, review and create** page, enter a name for your role and then click **Create role**.
16. Contact your Pismo representative to provide the Amazon Resource Names for:
* IAM role. For example: **arn:aws:iam::303421646629:role/test-pismo-integration-role**
* SNS topic. For example: **arn:aws:iam::\:\**
Pismo will provide you with an IAM Role to complete the configuration.
# Complete configuration with Pismo's IAM Role
You can complete this procedure after Pismo provides you with the necessary details, such as the Tenant/Org ID and external ID.
1. Return to the IAM dashboard home page and select **Roles** under **Access Management**. Then, click on the role you created for this integration.
2. Select **Trust Relationships**. In the text box that appears, click **Edit trust policy** and enter the following code:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::role/dataplatform-lambda-fn-"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ""
}
}
}
]
}
```
The Tenant/Org ID you enter here **must be lowercase**. The external ID is provided by Pismo.
3. Click **Update policy**.