[英]Accessing an Encrypted SNS Topic with Access policy
我正在尝试让 CloudWatch 发送到我的 SNS 主题。 主题已加密。 但是我得到这个错误
收到错误:“CloudWatch Alarms 无权访问 SNS 主题加密密钥。”
我已将 KMS 权限添加到与 SNS 主题关联的访问策略,但在尝试保存该策略时出现此错误
错误代码:InvalidParameter - 错误消息:设置属性访问策略时出错。 参数无效:策略语句操作超出服务范围!
我在政策中有什么误解吗?
{
"Version": "2012-10-17",
"Id": "SNS",
"Statement": [
{
"Sid": "SNSPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:*:my-account-name:my-topic-name"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:*:my-account-name:key/*"
],
"Condition": {
"StringEquals": {
"kms:RequestAlias": "alias/my-alias-name"
}
}
}
]
}
Cloudwatch 没有必要的权限来访问 SNS 主题正在使用的 KMS 密钥。
以下 SNS 主题访问策略将提供对 Amazon cloudwatch 事件的访问权限。
{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish" ], "Resource": "arn:aws:sns:<region>:<account>:<snstopic>", "Condition": { "StringEquals": { "AWS:SourceOwner": "<account>" } } }, { "Sid": "AWSEvents_test_Id10633056916634", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:<region>:<account>:<snstopic>" } ] }
在客户管理的 KMS 密钥策略下,它将提供对 Amazon cloudwatch 事件源的访问权限。
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account>:<iamuser>", "Service": "cloudwatch.amazonaws.com" }, "Action": "kms:*", "Resource": "*" } ] }
多个 AWS 服务将事件发布到 Amazon SNS 主题。 想了解更多,请参考这里
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.