stackoom
  简体   繁体   中英

Subscribe S3 events to SQS queue without exposing SQS to the world?

 原文  2019-05-03 01:40:12       amazon-web-services/ amazon-s3/ amazon-sqs/ amazon-iam

Question

I am struggling with what I would think would be a simple task.

I want to configure my SQS queue to allow S3 buckets in my account to send messages, but disallow outsiders to send messages. (Outsiders means any principal that is not a member of my AWS account)

The only SQS permission configuration that I can get to work is Effect=Allow, Principals=*, Actions=SQS:SendMessage, Conditions=None

Any other permission causes me to see this error when I create the [S3 event -> SQS]: Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket. Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket.

Principals=* concerns me. From the documentation I can find, this means that the SQS queue is accessible from anyone in the world. Is this true? This is obviously very bad.

How can I allow my S3 buckets to SendMessage to my SQS queue, and not anonymous users to push messages?

It is acceptable to me to allow any resource in my AWS account to SendMessage to SQS. I just need to block access to anonymous AWS users. This is a very basic requirement and I'm very surprised that I can't find a simple way to do this.

1 answers

solution1
 3 ACCPTED  2019-05-03 02:27:23

You can find the secure configuration right in the document 

   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }

Note that for both the Amazon SNS and Amazon SQS IAM policies, you can specify the StringLike condition in the policy, instead of the ArnLike condition. 

"Condition": {         
  "StringLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
  }

Full example pulled from the doc 

{
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
     "AWS": "*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "SQS-ARN",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }
  }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to configure SQS queue notification in S3 Cloudformation SQS Policy for S3 events Missing s3 events in AWS SQS How to configure AWS SQS Queue to Listen already created S3 bucket's events Is there a alternative solution for Amazon SQS-FIFO Queue to maintain Order of events that are received from S3? Sending message from webpage hosted in S3 to SQS queue How to store data into s3 bucket using an AWS SQS Queue Can you add SQS message attributes to SQS messages generated by S3 events? How to subscribe a SQS queue to a SNS topic in Java Subscribe to an SNS topic and / or SQS queue in golang?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM