AmazonIpSpaceChanged在不同地区的SNS订阅错误

时间:2017-09-01 03:21:18

标签: amazon-web-services aws-lambda amazon-sns

为什么我不能在AmazonIpSpaceChanged上隐藏SNS?请检查,我需要你的指导。

我基本上遵循的指南是来自AWS Security博客的How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda

这是终端的输出:

➜  terminal $ cat ~/.aws/config
[default]
region = ap-southeast-1
➜  terminal $ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller

An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn
➜  terminal $ AWS_REGION=ap-southeast-1 aws sns subscribe --topic-arn arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller

An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged

这也是通过AWS Web Console完成的输出:

User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 0e87384a-e298-569e-bf2d-6a5718eedc40)

2 个答案:

答案 0 :(得分:3)

该错误是因为您的API调用必须发送到Amazon SNS主题所在的us-east-1区域。

$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol email --notification-endpoint xyzzy@mailinator.com --region us-east-1
{
    "SubscriptionArn": "pending confirmation"
}

看来在其他区域订阅AWS Lambda函数也可以(或者,至少没有返回错误):

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-2:123456789012:foo --region us-east-1
{
    "SubscriptionArn": "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged:37dab281-1e8f-16ba-8e4a-ef9de429101b"
}

答案 1 :(得分:1)

这也可以通过CloudFormation的(新)Region参数来实现。

代码摘录了CloudFormation(json)SNS资源:

"LambdaAmazonIpSpaceChangedSubscription" : {
  "Type" : "AWS::SNS::Subscription",
  "Properties" : {
    "Endpoint" : {"Fn::GetAtt" : ["LambdaFunction", "Arn"] },
    "Protocol" : "lambda",
    "TopicArn" : "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged",

    "Region": "us-east-1"

  }
},
相关问题
最新问题