更新

Question

我在帐户中有一个SNS主题＆＃34; A＆＃34;，它是同一帐户中Lambda函数的触发器。此Lambda函数将消息发送到私有Slack通道。

只要CloudWatch警报位于同一帐户（帐户A）中，此工作正常。

但我也希望从＆＃34;帐户B＆＃34;做到这一点，但我得到了：

{
  "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "actionState": "Failed",
  "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "stateUpdateTimestamp": 1495732611020,
  "publishedMessage": null
}

那么我如何允许CloudWatch Alarm ARN访问权限发布到主题？

尝试添加策略失败：

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

我看到其他人在https://forums.aws.amazon.com/thread.jspa?threadID=143607遇到了同样的问题（多年前！），但从未接受过答案。

更新

尝试解决此问题，我现在尝试使用本地SNS主题，然后将其发送到删除帐户。但是，我还是得到了：

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

这是通过这个SNS政策：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    }
  ]
}

如果我使用发布到主题手动向主题发送消息，我可以看到它到达Lambda函数，因此除了CloudWatch访问权限之外的所有内容。

Answer 1

通过反复试验，我发现条件并不起作用。由于某些原因。不确定为什么它没有看到源帐户......

更广泛的政策使其发挥作用：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    },
    {
      "Sid": "AllowCloudWatchAlarmsToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*"
        }
      }
    }
  ]
}

允许CloudWatch Alarm以其他帐户发送给SNS

更新

1 个答案: