4

我有一个基础设施,其中 SNS 主题向 SQS 发送消息(当然使用 SNS 订阅)。当我设置以下访问策略时,它可以工作。

 {
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "SendMessagePolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:312226949769:mr-sandbox-loyalty",
      "Condition": {
        "ArnEquals": {
          "AWS:SourceArn": "arn:aws:sns:us-east-1:312226949769:mr-sandbox-transaction-created"
        }
      }
    }
  ]
}

但是*我设置arn:aws:iam::312226949769:root消息而不是发送到队列时。我使用的帐号是312226949769。有任何想法吗?

谢谢。

更新

在 Web 控制台中,当我尝试将Principal: 312226949769其设置为Principal: arn:aws:iam::312226949769:root

4

2 回答 2

0

我的解决方案最终没有使用我的特定帐户作为委托人,而是使用 SNS 服务。这应该没问题,因为我有特定 sns 主题 arn 的条件

Resources:
  Policy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - sns.amazonaws.com
          Action:
          - sqs:SendMessage
          Resource: !GetAtt MySQS.Arn
          Condition:
            ArnEquals:
              aws:SourceArn: !Ref MyTopic
      Queues:
        - !Ref MySQS
于 2020-07-07T06:54:26.337 回答
0

我设法解决了这个问题。我将 IAM ARN 添加到 ArnEquals 条件。

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "SendersPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:%account_id%:mr-prod-loyalty-program",
      "Condition": {
        "ArnEquals": {
          "AWS:SourceArn": [
            "arn:aws:iam::%account_id%:role/boss-mr-prod-sqs-dashboard",
            "arn:aws:iam::%account_id%:role/IDT-PSF-Instance-Profile"
          ]
        }
      }
    }      
  ]
}
于 2020-07-06T11:23:10.000 回答