3

我有一个事件总线并创建了一个将事件转发到 SQS 队列的事件规则。现在,我使用默认的亚马逊管理密钥(别名/aws/sqs)为我的队列启用了加密。

启用加密后,不再转发事件。研究 AWS 文档我只能找到有关使用 CMK 进行加密的信息,但没有有关亚马逊托管密钥的信息。

我想这是一个权限问题,但不确定。这是我的活动规则和访问策略

  queueCreateInvoiceEvent:
    Type: AWS::Events::Rule
    DependsOn: [myQueue]
    Properties:
      Description: Forward INVOICE_CREATED event to SQS queue
      EventBusName: ${self:custom.eventBus.name}
      EventPattern: { "detail-type": ["INVOICE_CREATED"] }
      Name: ${self:service.name}-${self:provider.stage}-buffer-invoice-created-event
      State: ENABLED
      Targets:
        - Id: myQueue
          Arn:
            Fn::GetAtt: [myQueue, Arn]


  createReceiptQueueAccessPolicy:
    Type: AWS::SQS::QueuePolicy
    DependsOn: [queueCreateInvoiceEvent, myQueue]
    Properties:
      Queues:
        - { Ref: createReceiptQueue }
      PolicyDocument:
        Id: EventBridgeSqsAccessPolicy
        Version: "2012-10-17"
        Statement:
          - Sid: Allow-User-SendMessage
            Effect: Allow
            Principal:
              Service: "events.amazonaws.com"
            Action:
              - sqs:SendMessage
            Resource:
              - Fn::GetAtt: ["myQueue", "Arn"]
            Condition:
              ArnEquals:
                aws:SourceArn:
                  - Fn::GetAtt: ["queueCreateInvoiceEvent", "Arn"]
4

2 回答 2

5

根据EventBridge 故障排除页面,您的 KMS 密钥策略需要允许 EventBridge 访问密钥:

{
    "Sid": "Allow EventBridge to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}
于 2020-12-09T18:01:11.123 回答
0

添加到上面所说的内容,但有更多细节。从今天 (2022-03-04) 开始,您需要具备以下条件才能允许 EventBridge 发送到加密的 SQS 队列。来自 AWS 文档https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

一些 AWS 服务充当事件源,可以将事件发送到 Amazon SQS 队列。要允许这些事件源使用加密队列,您必须创建一个客户托管的 KMS 密钥并在密钥策略中添加权限,以便服务使用所需的 AWS KMS API 方法。

  1. 客户管理的 KMS 密钥具有允许events.amazonaws.com某些操作的策略。
  2. 然后,SQS 队列必须使用该 KMS 密钥 ID 进行加密。

这是所需的两个 CloudFormation。

# KMS key is required to allow eventbridge to send to encrypted sqs queue
# https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
KmsKey:
  Type: AWS::KMS::Key
  Properties:
    Description: my-key-name
    KeyPolicy:
      Version: "2012-10-17"
      Statement:
        - Sid: Allow EventBridge access
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action:
            - kms:GenerateDataKey
            - kms:Decrypt
          Resource: '*'

        - Sid: Allow access for Key Administrators
          Effect: Allow
          Principal:
            AWS:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/my-role-name
              - !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
            - kms:*
          Resource: '*'

EventRuleQueue:
  Type: AWS::SQS::Queue
  Properties:
    QueueName: my-queue-name
    KmsMasterKeyId: !Ref KmsKey
    KmsDataKeyReusePeriodSeconds: 43200 # 12 hours to reduce cost
于 2022-03-04T21:45:40.250 回答