我有两个AWS帐户:
我想将SNSDestination添加到 Configuration_Set_01 -以便能够将SES事件通知发布到电子邮件事件主题
我为电子邮件事件主题设置了以下主题政策:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222222:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
当我尝试将SNSDestination添加到 Configuration_Set_01 时,引用电子邮件事件主题,它给我一个错误 无法访问SNS主题<…> … :
如果电子邮件事件主题的政策如下,则可以成功添加目标:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
这有效:
"Principal": {
"AWS": "*"
}
这不起作用:
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
}
正如我在这里看到的https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html-第二个选项中 Principal.AWS 值的语法正确。
如何在电子邮件事件主题上正确设置主题策略,以便仅将其作为事件目标添加到帐户2的SES配置集(或任何帐户2的服务)中?
如果问题不仅与主题政策有关,应该采取什么其他措施来解决该问题?
答案 0 :(得分:0)
您共享的示例链接适用于S3资源策略。您能否尝试按照以下SNS document中的政策进行修改?
{
"Version":"2012-10-17",
"Id":"AWSAccountTopicAccess",
"Statement" :[
{
"Sid":"give-1234-publish",
"Effect":"Allow",
"Principal" :{
"AWS":"111122223333"
},
"Action":["sns:Publish"],
"Resource":"arn:aws:sns:us-east-1:444455556666:MyTopic"
}
]
}
此外,您还可以将"AWS:SourceAccount"条件密钥与主体*一起使用。
答案 1 :(得分:0)
这是主题政策,它适用于上述情况:
{
"Version": "2012-10-17",
"Id": "MyTopicPolicy",
"Statement": [
{
"Sid": "sid001",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
}
]
}
棘手的部分是Condition -> ArnLike:
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}