堆栈内存溢出
  简体   繁体   English

AWS SNS策略IP地址访问

[英]AWS SNS Policy IP Address Access

 原文  2017-12-11 21:46:05       amazon-web-services/ amazon-iam/ amazon-sns

问题描述

In SNS, I set up a topic. 在SNS中,我设置了一个主题。

In IAM, I have set up a policy to allow access to the topics ARN from only from a specific IP address: 在IAM中,我设置了一个策略,仅允许从特定IP地址访问主题ARN: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "sns:Subscribe"
            ],
            "Resource": "arn:aws:sns:us-east-1:111111111111:topic_name",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "xxx.xxx.xxx.x"
                }
            }
        }
    ]
}

I have attached this policy to a group, and added a user to this group. 我已经将此策略附加到了一个网上论坛,并将用户添加到了该网上论坛。

From a C# windows application, I can now subscribe and publish the topic from the specified SourceIp listed in the policy. 现在,从C#Windows应用程序中,我可以从策略中列出的指定SourceIp订阅和发布主题。

But in this case, I need to use the AccessKey and SecretAccessKey of the IAM user. 但是在这种情况下,我需要使用IAM用户的AccessKey和SecretAccessKey。

Is there a way that I can bypass needing the AccessKey and SecretKey as long as the SourceIp is correct? 只要SourceIp正确,有没有一种方法可以绕过需要AccessKey和SecretKey?

I see that the SNS topic "topic policy", but I could not figure out how to add the IpAddress Condition. 我看到了SNS主题“主题策略”,但是我不知道如何添加IpAddress条件。 Is that possible? 那可能吗?

topic policy: 主题政策: 

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:111111111111:topic_name",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "111111111111"
        }
      }
    }
  ]
}

1 个解决方案

解决方案1
 1 已采纳  2017-12-11 23:30:07

Amazon SNS requires authentication and authorization to use the service. Amazon SNS需要身份验证和授权才能使用该服务。 This means either an IAM user or role. 这意味着IAM用户或角色。 This means you must use credentials to access the service. 这意味着您必须使用凭据才能访问服务。

I would combine IAM User Policies with SNS Policies to control who (user or service) can publish / subscribe to SNS. 我将IAM用户策略与SNS策略结合使用,以控制谁(用户或服务)可以发布/订阅SNS。

There are many AWS services that can use SNS. 有许多可以使用SNS的AWS服务。 Your IP address policy may break them. 您的IP地址策略可能会破坏它们。

SNS: Controlling User Access to Your AWS Account SNS:控制用户对您的AWS账户的访问

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许从IP地址或IAM用户进行访问的AWS访问策略 - AWS access policy to allow access from an IP address or an IAM user AWS SNS 主题访问策略不会阻止用户订阅 - AWS SNS topic access policy does not prevent from users to subscribe AWS 默认访问策略 SNS 主题和 SQS q - AWS default Access Policy SNS topics and SQS q's 使用 AND 和 OR 的 AWS SNS 过滤策略 - AWS SNS filter policy using AND and OR AWS SNS 主题策略 Cloudformation - AWS SNS Topic Policy Cloudformation aws:SourceAccount 和 aws:SourceOwner AWS SNS 访问策略语句有什么区别 - What is difference between aws:SourceAccount and aws:SourceOwner AWS SNS access policy statements AWS CDK 中 S3 存储桶策略中的白名单 IP 地址 - Whitelist IP Address in S3 Bucket Policy in AWS CDK 修改检查器的访问策略 SNS - modify the Access policy SNS for inpector 如何通过AWS Opsworks上的IP地址访问网站? - How to access a website by IP address at AWS Opsworks? 创建访问策略以使用 IP 地址将弹性 beanstalk 连接到 Elasticsearch - Create access policy to connect elastic beanstalk to Elasticsearch using IP address
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM