7

我有一个 SQS 队列,它曾经有以下策略文档。用于从存储桶接收 S3 事件:

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

现在,我为队列启用了服务器端加密 (SSE)。而且,我已按照此文档编写加密政策声明。现在的政策声明如下所示:

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

但是现在,队列没有从存储桶中获取任何有关文件添加的消息。我对权限做错了什么吗?

4

2 回答 2

8

现在这是可能的。从 AWS 文档:

https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3AWS KMS 密钥策略部分下

如果 SQS 队列启用了 SSE,您可以将以下密钥策略附加到关联的 AWS Key Management Service (AWS KMS) 客户管理的客户主密钥 (CMK)。该策略向 Amazon S3 服务委托人授予对添加到队列的消息进行加密所需的特定 AWS KMS 操作的权限。

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}
于 2020-01-28T23:53:12.590 回答
4

我错过了同一篇文章中的以下公告。我的一个非常愚蠢的错误。将需要等待将 S3 事件发送到加密的 SQS。

AWS 服务的以下功能当前与加密队列不兼容:

亚马逊 CloudWatch 事件

Amazon S3 事件通知

Amazon SNS 主题订阅

Auto Scaling 生命周期挂钩

AWS IoT 规则操作

AWS Lambda 死信队列

于 2017-06-16T10:09:32.163 回答