如何為 S3 事件編寫加密 SQS 的策略聲明?
[英]How do I write the policy statement of an encrypted SQS for S3 events?
問題描述
我有一個 SQS 隊列,它曾經有以下策略文檔。 從存儲桶接收 S3 事件:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
現在,我為隊列啟用了服務器端加密(SSE)。 而且,我已按照此文檔編寫加密政策聲明。 現在的政策聲明如下所示:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
但是現在,隊列沒有從存儲桶中獲取有關文件添加的任何消息。 我的權限有問題嗎?
2 個解決方案
解決方案1
8 2020-01-28 23:53:12
這現在是可能的。 從 AWS 文檔:
https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3在AWS KMS 密鑰策略部分下
如果 SQS 隊列啟用了 SSE,您可以將以下密鑰策略附加到關聯的 AWS Key Management Service (AWS KMS) 客戶管理的客戶主密鑰 (CMK)。 該策略向 Amazon S3 服務委托人授予對加密添加到隊列的消息所需的特定 AWS KMS 操作的權限。
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" } ] }
解決方案2
4 已采納 2017-06-16 10:09:32
我錯過了同一篇文章中的以下公告。 我犯了一個非常愚蠢的錯誤。 需要等待將 S3 事件發送到加密的 SQS。
AWS 服務的以下功能目前與加密隊列不兼容:
亞馬遜 CloudWatch 事件
Amazon S3 事件通知
Amazon SNS 主題訂閱
Auto Scaling 生命周期掛鈎
AWS IoT 規則操作
AWS Lambda 死信隊列
如何使用簡單的 s3 存儲桶策略授予對加密存儲桶的跨賬戶訪問權限?
[英]How do I grant cross account access to an encrypted bucket with a simple s3 bucket policy?
將 s3 Bucket 乘以 tigger 的 aws sqs 的策略是什么
[英]What will the policy of aws sqs which is tigger by multiply s3 Bucket
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.