如何在一个账户中设置AWS SNS以便能够从另一个账户的SES接收通知?

时间:2018-08-14 11:06:51

标签: amazon-web-services amazon-iam amazon-sns amazon-ses

我有两个AWS帐户:

  • 帐户1(111111111111)包含简单通知服务主题(电子邮件事件主题
  • 帐户2(222222222222)包含带有配置集( Configuration_Set_01 )的简单电子邮件服务。

我想将SNSDestination添加到 Configuration_Set_01 -以便能够将SES事件通知发布到电子邮件事件主题

我为电子邮件事件主题设置了以下主题政策:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::2222222222222:root"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
    }
  ]
}

当我尝试将SNSDestination添加到 Configuration_Set_01 时,引用电子邮件事件主题,它给我一个错误 无法访问SNS主题<…> …

Add SNSDestination error

如果电子邮件事件主题的政策如下,则可以成功添加目标:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
    }
  ]
}

这有效:

"Principal": {
  "AWS": "*"
}

这不起作用:

"Principal": {
  "AWS": "arn:aws:iam::222222222222:root"
}

正如我在这里看到的https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html-第二个选项中 Principal.AWS 值的语法正确。

如何在电子邮件事件主题上正确设置主题策略,以便仅将其作为事件目标添加到帐户2的SES配置集(或任何帐户2的服务)中?

如果问题不仅与主题政策有关,应该采取什么其他措施来解决该问题?

2 个答案:

答案 0 :(得分:0)

您共享的示例链接适用于S3资源策略。您能否尝试按照以下SNS document中的政策进行修改?

{
    "Version":"2012-10-17",
    "Id":"AWSAccountTopicAccess",
    "Statement" :[
        {
            "Sid":"give-1234-publish",
            "Effect":"Allow",           
            "Principal" :{
                "AWS":"111122223333"
             },
            "Action":["sns:Publish"],
            "Resource":"arn:aws:sns:us-east-1:444455556666:MyTopic"
        }
    ]
}

此外,您还可以将"AWS:SourceAccount"条件密钥与主体*一起使用。

答案 1 :(得分:0)

这是主题政策,它适用于上述情况:

{
  "Version": "2012-10-17",
  "Id": "MyTopicPolicy",
  "Statement": [
    {
      "Sid": "sid001",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
        }
      }
    }
  ]
}

棘手的部分是Condition -> ArnLike

"Condition": {
  "ArnLike": {
    "AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
  }
}
相关问题
最新问题