使用访问策略访问加密的 SNS 主题
[英]Accessing an Encrypted SNS Topic with Access policy
问题描述
我正在尝试让 CloudWatch 发送到我的 SNS 主题。 主题已加密。 但是我得到这个错误
收到错误:“CloudWatch Alarms 无权访问 SNS 主题加密密钥。”
我已将 KMS 权限添加到与 SNS 主题关联的访问策略,但在尝试保存该策略时出现此错误
错误代码:InvalidParameter - 错误消息:设置属性访问策略时出错。 参数无效:策略语句操作超出服务范围!
我在政策中有什么误解吗?
{
"Version": "2012-10-17",
"Id": "SNS",
"Statement": [
{
"Sid": "SNSPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:*:my-account-name:my-topic-name"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:*:my-account-name:key/*"
],
"Condition": {
"StringEquals": {
"kms:RequestAlias": "alias/my-alias-name"
}
}
}
]
}
1 个解决方案
解决方案1
0 2023-01-26 14:17:21
Cloudwatch 没有必要的权限来访问 SNS 主题正在使用的 KMS 密钥。
以下 SNS 主题访问策略将提供对 Amazon cloudwatch 事件的访问权限。
{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish" ], "Resource": "arn:aws:sns:<region>:<account>:<snstopic>", "Condition": { "StringEquals": { "AWS:SourceOwner": "<account>" } } }, { "Sid": "AWSEvents_test_Id10633056916634", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:<region>:<account>:<snstopic>" } ] }
在客户管理的 KMS 密钥策略下,它将提供对 Amazon cloudwatch 事件源的访问权限。
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account>:<iamuser>", "Service": "cloudwatch.amazonaws.com" }, "Action": "kms:*", "Resource": "*" } ] }
多个 AWS 服务将事件发布到 Amazon SNS 主题。 想了解更多,请参考这里
如何使用过滤策略从 SNS 主题中排除 cloudwatch 警报?
[英]How to exclude cloudwatch alarns from SNS topic using filter policy?
使用CDK,SNS主题Policy Statement,使用actions:["sns:*"],Cloudformation导致“Policy statement action out of service scope!”
[英]Using CDK, SNS topic Policy Statement, use actions: ["sns:*"], Cloudformation results in "Policy statement action out of service scope!"
如何将 iam 策略附加到 Lambda function 以进行 SNS 发布访问?
[英]How to attach iam policy to Lambda function for SNS publish access?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
AWS SNS 主题策略 Cloudformation
修改检查器的访问策略 SNS
如何使用过滤策略从 SNS 主题中排除 cloudwatch 警报?
boto3 SNS:订阅主题时添加过滤策略
使用CDK,SNS主题Policy Statement,使用actions:["sns:*"],Cloudformation导致“Policy statement action out of service scope!”
如何将 iam 策略附加到 Lambda function 以进行 SNS 发布访问?
SNS 主题可以成为 EventBridge 的来源吗?
亚马逊 sns 主题 sqs labmda
Lambda 有时无法发布到 SNS 主题
消息写入 SNS 主题,但没有订阅 SQS 队列
相关标签