AWS provifrt is based on terraform you can always lookup for terraform examples and convert them https://github.com/cloudposse/terraform-aws-sns-cloudwatch-sns-alarms

I ended up create the IAM role and specified the roles as part of SNS topic creation like this in golang: topic, err := sns.NewTopic(ctx, snsTopicName, &sns.TopicArgs{ Policy: notificationPolicy, SqsFailureFeedbackRoleArn: snsFeedbackRole.Arn, SqsSuccessFeedbackRoleArn: snsFeedbackRole.Arn, }) The IAM role with this policy: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy" ], "Resource": "*" }] }

Once I did that, the SNS delivery status logs shows up in the cloudwatch