AWS 允许特定账户的任何用户向队列发送消息
AWS allow any user of a specific account to send messages to a queue
根据文档 here:
,我正在尝试为队列配置 SQS 策略以授权帐户的所有原则向该队列发送消息
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:root"
]
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
}
]
}
这会允许该帐户的任何原则向 my_queue 发送消息还是只允许 root 用户?
或者我应该使用以下带有条件的政策吗?
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789"
}
}
}
]
}
TIA
文档说:
When you use an AWS account identifier as the principal in a policy, you delegate authority to the account. All identities inside the account can access the resource if they have the appropriate IAM permissions attached to explicitly allow access. This includes IAM users and roles in that account.
据此,您的第一种方法将允许所有用户发送消息。
只有第一个政策有效。第二种政策不会奏效,就像你想的那样。原因是 aws:SourceAccount 仅用于 service-to-service requests,不适用于 IAM 用户或角色。使用 aws:SourceAccount 的最常见示例是 S3:
For example, when an Amazon S3 bucket update triggers an Amazon SNS topic post, the Amazon S3 service invokes the sns:Publish API operation. The bucket is considered the source of the SNS request and the value of the key is the account ID associated with the bucket.
IAM users/roles 在第二个帐户 中发出的发送消息请求将被拒绝 因为对于这些实体没有 aws:SourceAccount.
根据文档 here:
,我正在尝试为队列配置 SQS 策略以授权帐户的所有原则向该队列发送消息{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:root"
]
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
}
]
}
这会允许该帐户的任何原则向 my_queue 发送消息还是只允许 root 用户?
或者我应该使用以下带有条件的政策吗?
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "Sqs policy1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123456789:my_queue"
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789"
}
}
}
]
}
TIA
文档说:
When you use an AWS account identifier as the principal in a policy, you delegate authority to the account. All identities inside the account can access the resource if they have the appropriate IAM permissions attached to explicitly allow access. This includes IAM users and roles in that account.
据此,您的第一种方法将允许所有用户发送消息。
只有第一个政策有效。第二种政策不会奏效,就像你想的那样。原因是 aws:SourceAccount 仅用于 service-to-service requests,不适用于 IAM 用户或角色。使用 aws:SourceAccount 的最常见示例是 S3:
For example, when an Amazon S3 bucket update triggers an Amazon SNS topic post, the Amazon S3 service invokes the sns:Publish API operation. The bucket is considered the source of the SNS request and the value of the key is the account ID associated with the bucket.
IAM users/roles 在第二个帐户 中发出的发送消息请求将被拒绝 因为对于这些实体没有 aws:SourceAccount.