stackoom
  简体   繁体   中英

AWS IAM policy for Event-Bridge to SQS with deny

 原文  2022-09-30 13:58:16       amazon-web-services/ amazon-iam/ amazon-sqs/ aws-event-bridge/ aws-iam-policy

Question

I want to restrict my sqs to accept only from event-bridge rule, below IAM rule looks correct with deny in place, but sqs not receiving message with this, any input appreciated.

{   "Id": "Policy",   "Version": "2012-10-17",   "Statement": [
    {
      "Sid": "sid",
      "Action": [
        "sqs:SendMessage"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:sqs:us-east-1:***:sri-test-queue-3",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule"
        }
      },
      "Principal": "*"
    }   ] }

The one generated by Event-bridge to allow sqs access looks like this

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "AWSEvents_sri-test-sqs-rule_Id12",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:***:sri-test-queue-3",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule"
        }
      }
    }
  ]
}

2 answers

solution1
 0  2022-10-01 03:12:41

Use the bottom policy. SQS policy denies by default, so you do not need to worry about other resources posting messages to SQS. The policy would allow only arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule to send the messages.

The problem with the policy statement you wrote was that you did not have an "Allow" statement, so SQS is denying SendMessage actions from every source.

solution2
 0 ACCPTED  2022-10-05 20:16:28

We just had to put some combination of principalTypes to achieve this, below one worked finally

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ownerstatement",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:xxxx:sri-test-queue-3"
    },
    {
      "Sid": "DenyAllExceptBus",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:xxxx:sri-test-queue-3",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": [
            "arn:aws:events:us-east-1:xxxx:rule/sri-test-bus/sri-test-sqs-rule"
          ]
        }
      }
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3: IAM Policy with Deny IP Block Denies All IPs AWS S3 bucket policy to deny everything to everyone except for one IAM user? importing aws_iam_policy multiple times AWS SQS Policy not restricting root user AWS Policy deny access on all production resources AWS Event Bridge Lambda invocation AWS IAM Inline policy for Password Expiration AWS IAM S3 download policy What is the meaning of aws_iam_role and aws_iam_role_policy? AWS S3 IAM policy to limit to single sub folder
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM