无法验证以下目标配置（S3 到 SQS）

Question

我正在尝试使用无服务器建立一个工作流程，该工作流程创建一个新的 S3 存储桶、一个新的 SQS 队列，当在 S3 存储桶中创建一个对象时，将消息放入队列中，并在队列上有足够的消息时启动 lambda队列。我的资源块中有以下内容：

resources:
  Resources:
    AnalyticsQueue:
      Type: "AWS::SQS::Queue"
      Properties:
        QueueName: "my-queue"
    S3EventQueuePolicy:
      Type: AWS::SQS::QueuePolicy
      DependsOn: AnalyticsQueue
      Properties:
        PolicyDocument:
          Id: SQSPolicy
          Statement:
            - Effect: Allow
              Action: sqs:SendMessage:*
              Resource: !Ref AnalyticsQueue
        Queues:
          - !GetAtt AnalyticsQueue.Arn
    AnalyticsBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: "my-bucket"
        NotificationConfiguration:
          QueueConfigurations:
            - Event: s3:ObjectCreated:*
              Queue: !GetAtt AnalyticsQueue.Arn

当我尝试部署它时，我收到以下错误：

发生错误：AnalyticsBucket - 无法验证以下目标配置（服务：Amazon S3；状态代码：400；错误代码：InvalidArgument；请求 ID：E2A1F8BD6BEE6EF4；）。

经过一番谷歌搜索，我发现问题出NotificationConfiguration在AnalyticsBucket. 如果我删除整个子块，它部署得很好，但显然在创建对象时不会在队列上生成消息。

正在寻找解决这个问题的方法。

Answer 1

您需要将这样的内联“访问”策略添加到 SQS 队列中：

\n

{\n  "Version": "2012-10-17",\n  "Id": "example-ID",\n  "Statement": [\n    {\n      "Sid": "example-statement-ID",\n      "Effect": "Allow",\n      "Principal": {\n        "Service": "s3.amazonaws.com"\n      },\n      "Action": [\n        "SQS:SendMessage"\n      ],\n      "Resource": "arn:aws:sqs:<region>:<account-id>:<queue-name>",\n      "Condition": {\n        "ArnLike": {\n          "aws:SourceArn": "arn:aws:s3:::<my-bucket-name>"\n        },\n        "StringEquals": {\n          "aws:SourceAccount": "bucket-owner-account-id"\n        }\n      }\n    }\n  ]\n}\n

\n

来源：https ://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html

\n

<region>注意：需要替换 JSON 中的占位符。

\n

{\n  "Version": "2012-10-17",\n  "Statement": [\n    {\n      "Sid": "Allow Amazon S3 to use this key",\n      "Effect": "Allow",\n      "Principal": {\n        "Service": "s3.amazonaws.com"\n      },\n      "Action": [\n        "kms:GenerateDataKey",\n        "kms:Decrypt"\n      ],\n      "Resource": "arn:aws:kms:<region>:<account-id>:<key-alias>",\n      "Condition": {\n        "StringEquals": {\n          "AWS:SourceAccount": "<account-id>"\n        },\n        "ArnLike": {\n          "AWS:SourceArn": "arn:aws:s3:::<bucket-name>"\n        }\n    },\n    {\n      "Sid": "Enable IAM User Permissions",\n      "Effect": "Allow",\n      "Principal": {\n        "AWS": "arn:aws:iam::<account-id>:root"\n      },\n      "Action": "kms:*",\n      "Resource": "*"\n    }\n  ]\n}\n

\n

您的队列还可以使用服务器端加密。在这种情况下，您还需要向客户 KMS 添加策略（必须是客户 KMS 密钥，默认 AWS 密钥将不起作用；请阅读为什么 \xe2\x80\x99t Amazon S3 事件通知传递到使用服务器端加密？）

\n

Answer 2

许多 AWS 配置允许您连接服务，如果没有权限，它们会在运行时失败，但是 S3 通知配置会检查某些目标的访问情况。

在这种情况下，您不允许 S3 向 SQS 发送消息。

它应该是这样的：

  PolicyDocument:
    Id: SQSPolicy
    Statement:
    - Sid: SQSEventPolicy
      Effect: Allow
      Principal: "*"
      Action: SQS:*
      Resource: "*"
      Condition:
        ArnLike:
          aws:SourceArn: arn:aws:s3:::*