According to the AWS documentation,此策略允许任何S3存储桶向SNS主题发送通知:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"444455556666"
}
}
}
]
}
我想对SQS队列而不是SNS主题做同样的事情。本政策不起作用:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:111122223333:*"
}
}
}
]
}
这(允许世界上的每个AWS账户)都有效:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
但是当我尝试用Principal来限制它时,它再也不起作用了:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"111122223333",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
由于"没有工作"我的意思是该策略被接受为有效,但当我尝试配置S3存储桶以发送通知(NotificationConfiguration)时,我收到错误:
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket