堆栈内存溢出
  简体   繁体   English

将S3事件订阅到SQS队列而不向世界公开SQS?

[英]Subscribe S3 events to SQS queue without exposing SQS to the world?

 原文  2019-05-03 01:40:12       amazon-web-services/ amazon-s3/ amazon-sqs/ amazon-iam

问题描述

I am struggling with what I would think would be a simple task. 我正在努力解决我认为简单的任务。

I want to configure my SQS queue to allow S3 buckets in my account to send messages, but disallow outsiders to send messages. 我想配置我的SQS队列以允许我帐户中的S3存储桶发送消息,但不允许外人发送消息。 (Outsiders means any principal that is not a member of my AWS account) (局外人是指任何不是我的AWS账户成员的委托人)

The only SQS permission configuration that I can get to work is Effect=Allow, Principals=*, Actions=SQS:SendMessage, Conditions=None 我可以使用的唯一SQS权限配置是Effect=Allow, Principals=*, Actions=SQS:SendMessage, Conditions=None

Any other permission causes me to see this error when I create the [S3 event -> SQS]: Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket. 创建[S3事件 - > SQS]时,任何其他权限都会导致我看到此错误: Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket. Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket.

Principals=* concerns me. Principals=*关心我。 From the documentation I can find, this means that the SQS queue is accessible from anyone in the world. 从我可以找到的文档中,这意味着可以从世界上的任何人访问SQS队列。 Is this true? 这是真的? This is obviously very bad. 这显然非常糟糕。

How can I allow my S3 buckets to SendMessage to my SQS queue, and not anonymous users to push messages? 如何允许我的S3存储桶将SendMessage发送到我的SQS队列,而不是匿名用户来推送消息?

It is acceptable to me to allow any resource in my AWS account to SendMessage to SQS. 我可以允许将我的AWS账户中的任何资源允许SendMessage发送到SQS。 I just need to block access to anonymous AWS users. 我只需要阻止访问匿名AWS用户。 This is a very basic requirement and I'm very surprised that I can't find a simple way to do this. 这是一个非常基本的要求,我很惊讶我找不到一个简单的方法来做到这一点。

1 个解决方案

解决方案1
 3 已采纳  2019-05-03 02:27:23

You can find the secure configuration right in the document 您可以在文档中找到安全配置 

   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }

Note that for both the Amazon SNS and Amazon SQS IAM policies, you can specify the StringLike condition in the policy, instead of the ArnLike condition. 请注意,对于Amazon SNS和Amazon SQS IAM策略,您可以在策略中指定StringLike条件,而不是ArnLike条件。 

"Condition": {         
  "StringLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
  }

Full example pulled from the doc 文档中提取的完整示例 

{
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
     "AWS": "*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "SQS-ARN",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }
  }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法在 S3 中配置 SQS 队列通知 - Unable to configure SQS queue notification in S3 S3事件的Cloudformation SQS策略 - Cloudformation SQS Policy for S3 events AWS SQS 中缺少 s3 事件 - Missing s3 events in AWS SQS 如何配置 AWS SQS 队列以侦听已创建的 S3 存储桶的事件 - How to configure AWS SQS Queue to Listen already created S3 bucket's events Amazon SQS-FIFO 队列是否有替代解决方案来维护从 S3 接收的事件顺序? - Is there a alternative solution for Amazon SQS-FIFO Queue to maintain Order of events that are received from S3? 将消息从 S3 中托管的网页发送到 SQS 队列 - Sending message from webpage hosted in S3 to SQS queue 如何使用 AWS SQS 队列将数据存储到 s3 存储桶中 - How to store data into s3 bucket using an AWS SQS Queue 可以将SQS消息属性添加到S3事件生成的SQS消息中吗? - Can you add SQS message attributes to SQS messages generated by S3 events? 如何在 Java 中为 SQS 队列订阅 SNS 主题 - How to subscribe a SQS queue to a SNS topic in Java 在 golang 中订阅 SNS 主题和/或 SQS 队列? - Subscribe to an SNS topic and / or SQS queue in golang?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM