Problem with AWS Cloudfront, Lambda, SNS: 503 Error

Question

I have a cloudfront distribution serving content from S3 (works fine). There is a lambda function assigned to the "Viewer request" association (Origins section). This function should send a message via SNS in some cases (failed login). However, when accessing the site, I get a 503 error back.

The lambda function and SNS message itself work fine if triggered from within my account, so I assume it is a IAM problem.

The IAM Basic Execution role for the lambda function includes (beside the LogGroup and LogStream settings) the access rights to the SNS topic

{
        "Action": [
            "sns:Publish",
            "sns:Subscribe"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:sns:us-east-1:xxxxx"
        ]
    }

as well as a trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "edgelambda.amazonaws.com",
                    "lambda.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The SNS Access policy gives full access to all SNS Actions to my account plus I have added this section:

{
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "edgelambda.amazonaws.com",
      "lambda.amazonaws.com"
    ]
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-east-1:xxxxx"
}

However, it does not work. Do you have any idea what the issue might be?

Thanks!