如何为 S3 事件编写加密 SQS 的策略声明？

Question

I have an SQS queue which used to have the following policy doc.我有一个 SQS 队列，它曾经有以下策略文档。 for receiving S3 events from a bucket:从存储桶接收 S3 事件：

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

Now, I have enabled Server-side encryption(SSE) for the queue.现在，我为队列启用了服务器端加密（SSE）。 And, I have followed this doc for writing the policy statement for encryption.而且，我已按照此文档编写加密政策声明。 The policy statement now, looks like this:现在的政策声明如下所示：

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

But now, the queue is not getting any messages from the bucket on file additions.但是现在，队列没有从存储桶中获取有关文件添加的任何消息。 Is there something wrong which I did with the permissions?我的权限有问题吗？

Answer 1

This is now possible.这现在是可能的。 From the AWS documentation:从 AWS 文档：

https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3 under the section AWS KMS Key Policy https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3在AWS KMS 密钥策略部分下

If the SQS queue is SSE enabled, you can attach the following key policy to the associated AWS Key Management Service (AWS KMS) customer managed customer master key (CMK).如果 SQS 队列启用了 SSE，您可以将以下密钥策略附加到关联的 AWS Key Management Service (AWS KMS) 客户管理的客户主密钥 (CMK)。 The policy grants the Amazon S3 service principal permission for specific AWS KMS actions that are necessary for to encrypt messages added to the queue.该策略向 Amazon S3 服务委托人授予对加密添加到队列的消息所需的特定 AWS KMS 操作的权限。
 { "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" } ] }

Answer 2

I have missed the following announcement from the same article .我错过了同一篇文章中的以下公告。 A very silly mistake on my part.我犯了一个非常愚蠢的错误。 Will need to wait for sending S3 events to encrypted SQS.需要等待将 S3 事件发送到加密的 SQS。

The following features of AWS services aren't currently compatible with encrypted queues: AWS 服务的以下功能目前与加密队列不兼容：

Amazon CloudWatch Events亚马逊 CloudWatch 事件

Amazon S3 Event Notifications Amazon S3 事件通知

Amazon SNS Topic Subscriptions Amazon SNS 主题订阅

Auto Scaling Lifecycle Hooks Auto Scaling 生命周期挂钩

AWS IoT Rule Actions AWS IoT 规则操作

AWS Lambda Dead-Letter Queues AWS Lambda 死信队列

如何为 S3 事件编写加密 SQS 的策略声明？

问题描述

2 个解决方案

解决方案1
8 2020-01-28 23:53:12

解决方案2
4 已采纳 2017-06-16 10:09:32

如何为 S3 事件编写加密 SQS 的策略声明？

问题描述

2 个解决方案

解决方案1 8 2020-01-28 23:53:12

解决方案2 4 已采纳 2017-06-16 10:09:32

解决方案1
8 2020-01-28 23:53:12

解决方案2
4 已采纳 2017-06-16 10:09:32