堆栈内存溢出
  简体   繁体   English

为什么某些 AWS 服务要求请求者具有 IAM 策略?

[英]Why do some AWS services require the requestor to have IAM policies?

 原文  2022-11-24 02:49:24       amazon-web-services/ aws-lambda/ amazon-iam/ amazon-sns

问题描述

Like connecting Lambda to SNS, for example.例如,将 Lambda 连接到 SNS。

I tried setting up a SNS TopicPolicy that allows publishing to SNS from my VPC cidr group.我尝试设置一个 SNS TopicPolicy,允许从我的 VPC cidr 组发布到 SNS。 This didn't work and required me to make a SNS Publish action role and attach that to the Lambda instead.这没有用,需要我创建一个 SNS 发布操作角色并将其附加到 Lambda。

I would have guessed that the action denial was on the service, and not the requestor, but that doesn't seem to be the case.我猜想拒绝操作是在服务上,而不是请求者,但事实似乎并非如此。

1 个解决方案

解决方案1
 1 已采纳  2022-11-24 04:00:53

It looks like this behavior just depends on the service.看起来这种行为只取决于服务。

In the case of SNS , the default permission is to allow access to the topic from all services in your account: Example cases for Amazon SNS access control .对于SNS ,默认权限是允许从您账户中的所有服务访问主题: Amazon SNS 访问控制示例 I agree with you that this important point should be a bit more obviously stated..我同意你的观点,应该更清楚地说明这一点。

Amazon SNS grants a default policy to all newly created topics. Amazon SNS 向所有新创建的主题授予默认策略。 The default policy grants access to your topic to all other AWS services.默认策略向所有其他 AWS 服务授予对您的主题的访问权限。 This default policy uses an aws:SourceArn condition to ensure that AWS services access your topic only on behalf of AWS resources you own.此默认策略使用 aws:SourceArn 条件来确保 AWS 服务仅代表您拥有的 AWS 资源访问您的主题。

Here's what the default policy looks like if you're curious.如果您好奇的话,这里是默认策略的样子。 Notice that the Principal is * .请注意, Principal*

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:XXX:XXXX:testTopic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "XXXX"
        }
      }
    }
  ]
}

With Lambda , however, you need to explicitly grant access permissions when working with other services.但是,对于Lambda ,您需要在使用其他服务时明确授予访问权限

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 具有冲突条件的 AWS IAM 多个策略 - AWS IAM multiple policies with conflicting conditions 为什么有些 AWS ARN 需要指定账户分段,而有些则不需要? - Why do some AWS ARNs require account segments to be specified and others do not? IAM 角色访问另一个 AWS 账户的服务 - IAM role to access services of another AWS account 如何使用 Power 为 AWS IAM 策略设置标签 Shell - How to set tags to AWS IAM Policies using Power Shell AWS - Fargate 实例和其他 AWS 服务之间的 IAM 角色 - AWS - IAM Roles between Fargate instances and other AWS services AWS:AWS IAM 角色和 IAM 用户权限相加吗 - AWS: Do the AWS IAM role and IAM user permissions add up 为什么我需要 serviceusage.services.use 才能列出 BigQuery 数据集? - Why do I require serviceusage.services.use in order to list BigQuery datasets? 了解各种资源的 GCP IAM 政策 - Understanding GCP IAM policies for various resources 为什么我的 zsh 需要在某些 AWS cli 之后手动单击 Q? - Why oh my zsh require manually click Q after some AWS cli? 两个相互矛盾的 aws 政策? - Two contardicting aws policies?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM