无法使用配置的 SQS 策略验证 Cloudformation 中的以下目标配置以获取 S3 到 SQS 通知
[英]Unable to validate the following destination configurations in Cloudformation for S3 to SQS notifications with a configured SQS policy
问题描述
I get the status UPDATE_FAILED for an S3 bucket with logical ID MyBucket explained by the following status reason in the cloudformation console:
我在 cloudformation 控制台中获得了逻辑 ID UPDATE_FAILED的 S3 存储桶的状态MyBucket ,由以下状态原因解释:
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: ABCDEFGHIJK; S3 Extended Request ID: Aqd2fih3ro981DED8wq48io9e51rSD5e3Fo3iw5ue31br; Proxy: null)
I have the following CloudFormation template:我有以下 CloudFormation 模板:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
NotificationConfiguration:
QueueConfigurations:
- Event: s3:ObjectCreated:Put
Filter:
S3Key:
Rules:
- Name: suffix
Value: jpg
Queue: !GetAtt MyQueue.Arn
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: my-queue
KmsMasterKeyId: alias/an-encryption-key
MyQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref MyQueue
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- s3.amazonaws.com
Action: SQS:SendMessage
Resource: !GetAtt MyQueue.Arn
EncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: '2012-10-17'
Id: some-id
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
EncryptionKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/an-encryption-key
TargetKeyId: !Ref EncryptionKey
What changes should I perform on the template in order to make the CloudFormation stack succeed?为了使 CloudFormation 堆栈成功,我应该对模板执行哪些更改? The status reason is too vague for me to understand what is going wrong.状态原因太模糊,我无法理解出了什么问题。 I know that it is related to the notification configuration because CloudFormation succeeds if I remove it.我知道它与通知配置有关,因为如果我删除它,CloudFormation 就会成功。 Other similar posts on Stackoverflow mention a missing or inaccurate queue policy, but since I have a queue policy I do not think that that is the problem. Stackoverflow 上的其他类似帖子提到了缺少或不准确的队列策略,但由于我有队列策略,我认为这不是问题所在。
1 个解决方案
解决方案1
1 已采纳 2020-12-04 12:58:15
The problem is that since server side encryption is enabled on the queue, S3 should be able to:问题在于,由于在队列上启用了服务器端加密,S3 应该能够:
- let KMS generate an appropriate datakey让 KMS 生成适当的数据密钥
- be able to decrypt using the EncryptionKey能够使用 EncryptionKey 解密
Add a statement with the S3 service as principal that allows the abovementioned actions:添加一条以 S3 服务为主体的语句,以允许上述操作:
- Effect: Allow
Principal:
Service: s3.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: "*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.