堆栈内存溢出
  简体   繁体   English

AWS SNS 主题的 AWS SQS 订阅的访问控制

[英]Access control of AWS SQS subscription for AWS SNS topic

 原文  2020-12-14 14:35:24       amazon-web-services/ amazon-iam/ amazon-sqs/ publish-subscribe/ amazon-sns

问题描述

I have a NodeJS application that publishes message to AWS SNS topic string and a AWS SQS subscription for the same.我有一个 NodeJS 应用程序,它将消息发布到 AWS SNS 主题字符串和一个 AWS SQS 订阅。 On the SQS console, I can see the published message.在 SQS 控制台上,我可以看到发布的消息。 However, I am not clear with the access policy of the SQS queue.但是,我对 SQS 队列的访问策略不是很清楚。

This answer mentions the use of "Principal": "*" - but, that is very broad .这个答案提到了使用"Principal": "*" - 但是,这是非常广泛的 One could probably use "Principal": {"AWS": "*"} ;可以使用"Principal": {"AWS": "*"} but, that isn't narrow either.但是,这也不窄。

{
  "Version": "2012-10-17",
  "Id": "Policy1607949016538",
  "Statement": [
    {
      "Sid": "Stmt1607949012567",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:ap-south-1:463113000000:orders"
    }
  ]
}

Questions问题

  1. While delivering a message to SQS queue, as a result of subscription, which user is in effect?在将消息传递到 SQS 队列时,作为订阅的结果,哪个用户有效? Same as the one who published to the topic?与发表该主题的人相同吗?
  2. I could get the messages to flow into the queue only when I used "Principal": {"AWS": "*"} .只有当我使用"Principal": {"AWS": "*"}时,我才能让消息流入队列。 So, how should I define a restrictive policy such that messages are written to queues only as a result of subscription?那么,我应该如何定义一个限制性策略,使得消息仅作为订阅的结果写入队列?
  3. What is the equivalent in the AWS SQS CLI to create a queue with "Principal": {"AWS": "*"} permissions?AWS SQS CLI中创建具有"Principal": {"AWS": "*"}权限的队列的等效项是什么?

1 个解决方案

解决方案1
 0  2020-12-14 16:36:13

  1. The only user that matters is the one that qualifies for the policy as defined for subscription and SQS access policy.唯一重要的用户是符合为订阅和 SQS 访问策略定义的策略的用户。
  2. The Condition in policy document can make the overall policy restrictive.政策文件中的Condition可以使整体政策受到限制。 See example below.请参见下面的示例。
  3. Adding SQS Permissions with conditions using AWS CLI Command使用 AWS CLI 命令添加带有条件的 SQS 权限

Example policy document restricting access to account ID.限制对帐户 ID 的访问的示例策略文档。

{
  "Version": "2012-10-17",
  "Id": "Policy1607960702002",
  "Statement": [
    {
      "Sid": "Stmt1607960701004",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:ap-south-1:463113000000:orders",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "463113000000"
        }
      }
    }
  ]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS SQS订阅AWS SNS主题 - AWS SQS subscription to AWS SNS topic AWS SNS Endpoint订阅主题 - AWS SNS Endpoint subscription to a topic AWS SNS SQS - 订阅过滤策略 - AWS SNS SQS - Subscription filter policy 仅在处理相同主题的SQS订阅后才调用AWS Lambda SNS事件 - Invoke AWS Lambda SNS event only after SQS subscription on same topic has been processed Terraform 模块创建 AWS SNS 主题订阅 - Terraform module to create AWS SNS Topic Subscription 如何确认对 aws SNS 主题的松弛订阅? - How to confirm a slack subscription to an aws SNS topic? 确认 Slack Webhook 的 AWS SNS 主题订阅 - Confirming AWS SNS Topic Subscription for Slack Webhook iOS AWS SNS:客户端如何确认SNS主题订阅? - iOS AWS SNS: How does client confirm SNS Topic subscription? 在 AWS 中订阅 SNS 到 SQS? - Subscribing SNS to SQS in AWS? 带有 SNS 的 Lambda -> SQS AWS - Lambda with SNS -> SQS AWS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM