[英]Accessing an Encrypted SNS Topic with Access policy
我正在嘗試讓 CloudWatch 發送到我的 SNS 主題。 主題已加密。 但是我得到這個錯誤
收到錯誤:“CloudWatch Alarms 無權訪問 SNS 主題加密密鑰。”
我已將 KMS 權限添加到與 SNS 主題關聯的訪問策略,但在嘗試保存該策略時出現此錯誤
錯誤代碼:InvalidParameter - 錯誤消息:設置屬性訪問策略時出錯。 參數無效:策略語句操作超出服務范圍!
我在政策中有什么誤解嗎?
{
"Version": "2012-10-17",
"Id": "SNS",
"Statement": [
{
"Sid": "SNSPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:*:my-account-name:my-topic-name"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:*:my-account-name:key/*"
],
"Condition": {
"StringEquals": {
"kms:RequestAlias": "alias/my-alias-name"
}
}
}
]
}
Cloudwatch 沒有必要的權限來訪問 SNS 主題正在使用的 KMS 密鑰。
以下 SNS 主題訪問策略將提供對 Amazon cloudwatch 事件的訪問權限。
{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish" ], "Resource": "arn:aws:sns:<region>:<account>:<snstopic>", "Condition": { "StringEquals": { "AWS:SourceOwner": "<account>" } } }, { "Sid": "AWSEvents_test_Id10633056916634", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:<region>:<account>:<snstopic>" } ] }
在客戶管理的 KMS 密鑰策略下,它將提供對 Amazon cloudwatch 事件源的訪問權限。
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account>:<iamuser>", "Service": "cloudwatch.amazonaws.com" }, "Action": "kms:*", "Resource": "*" } ] }
多個 AWS 服務將事件發布到 Amazon SNS 主題。 想了解更多,請參考這里
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.