允许账户中的任何 AWS 资源发布到 SQS 队列
Allow any AWS resource from an account to publish to an SQS queue
According to the AWS documentation,此策略允许任何 S3 存储桶向 SNS 主题发送通知:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"444455556666"
}
}
}
]
}
我想对 SQS 队列而不是 SNS 主题执行相同的操作。此政策无效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:111122223333:*"
}
}
}
]
}
这(允许世界上的每个 AWS 账户)有效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
但是当我尝试用 Principal 限制它时,它又不起作用了:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"111122223333",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
"doesn't work" 我的意思是该策略被接受为有效,但是当我尝试配置 S3 存储桶以发送通知 (NotificationConfiguration) 时,我收到错误消息:
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket
如果您想限制对特定AWS账户的访问,您需要在Principal下添加嵌套块AWS:
"Principal": {
"AWS": "111122223333"
},
或多个帐户:
"Principal" : {
"AWS": [
"123456789012",
"555555555555"
]
}
According to the AWS documentation,此策略允许任何 S3 存储桶向 SNS 主题发送通知:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"444455556666"
}
}
}
]
}
我想对 SQS 队列而不是 SNS 主题执行相同的操作。此政策无效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:111122223333:*"
}
}
}
]
}
这(允许世界上的每个 AWS 账户)有效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
但是当我尝试用 Principal 限制它时,它又不起作用了:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"111122223333",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
"doesn't work" 我的意思是该策略被接受为有效,但是当我尝试配置 S3 存储桶以发送通知 (NotificationConfiguration) 时,我收到错误消息:
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket
如果您想限制对特定AWS账户的访问,您需要在Principal下添加嵌套块AWS:
"Principal": {
"AWS": "111122223333"
},
或多个帐户:
"Principal" : {
"AWS": [
"123456789012",
"555555555555"
]
}