gio*_*oni 5 amazon-sqs amazon-web-services
根据 AWS 文档,此策略允许任何 S3 存储桶向 SNS 主题发送通知:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"444455556666"
}
}
}
]
}
我想对 SQS 队列而不是 SNS 主题执行相同的操作。该政策不起作用:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:111122223333:*"
}
}
}
]
}
这(允许世界上的每个 AWS 帐户)有效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
但是当我尝试与校长限制它时,它不再起作用:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"111122223333",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
我所说的“不起作用”是指该策略被视为有效,但当我尝试配置 S3 存储桶以发送通知 (NotificationConfiguration) 时,我收到错误:
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket
如果您想限制对特定AWS帐户的访问,您需要AWS在以下添加嵌套块Principal:
"Principal": {
"AWS": "111122223333"
},
或使用多个帐户:
"Principal" : {
"AWS": [
"123456789012",
"555555555555"
]
}
有关详细信息,请参阅AWS JSON 策略元素:主体。
| 归档时间: |
|
| 查看次数: |
1273 次 |
| 最近记录: |