如何为 S3 事件编写加密 SQS 的策略声明?
[英]How do I write the policy statement of an encrypted SQS for S3 events?
问题描述
我有一个 SQS 队列,它曾经有以下策略文档。 从存储桶接收 S3 事件:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
现在,我为队列启用了服务器端加密(SSE)。 而且,我已按照此文档编写加密政策声明。 现在的政策声明如下所示:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
但是现在,队列没有从存储桶中获取有关文件添加的任何消息。 我的权限有问题吗?
2 个解决方案
解决方案1
8 2020-01-28 23:53:12
这现在是可能的。 从 AWS 文档:
https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3在AWS KMS 密钥策略部分下
如果 SQS 队列启用了 SSE,您可以将以下密钥策略附加到关联的 AWS Key Management Service (AWS KMS) 客户管理的客户主密钥 (CMK)。 该策略向 Amazon S3 服务委托人授予对加密添加到队列的消息所需的特定 AWS KMS 操作的权限。
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" } ] }
解决方案2
4 已采纳 2017-06-16 10:09:32
我错过了同一篇文章中的以下公告。 我犯了一个非常愚蠢的错误。 需要等待将 S3 事件发送到加密的 SQS。
AWS 服务的以下功能目前与加密队列不兼容:
亚马逊 CloudWatch 事件
Amazon S3 事件通知
Amazon SNS 主题订阅
Auto Scaling 生命周期挂钩
AWS IoT 规则操作
AWS Lambda 死信队列
如何使用简单的 s3 存储桶策略授予对加密存储桶的跨账户访问权限?
[英]How do I grant cross account access to an encrypted bucket with a simple s3 bucket policy?
将 s3 Bucket 乘以 tigger 的 aws sqs 的策略是什么
[英]What will the policy of aws sqs which is tigger by multiply s3 Bucket
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.