我有一个未加密的 SNS 主题,其中订阅了一个加密的 SQS 队列。每当我从 SNS 主题发布消息时,SQS 队列都不会收到消息(当禁用加密时,SQS 队列成功地从 SNS 主题接收消息)。到目前为止,我一直在关注this guide。这是我目前完成的:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${aws_account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow SNS to use KMS",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
目前我停留在“为生产者配置 KMS 权限”部分。当我在 KMS CMK 密钥策略的 Statement 列表中添加以下语句时,我收到错误 MalformedPolicyDocumentException - Policy contains a statement with no principal。
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "${kms_customer_managed_key_arn}"
},
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage"
],
"Resource": "${sqs_queue_arn}"
}
该指南未在其政策中包含委托人,因此我不明白为什么我会收到错误消息。任何人都可以就如何推进此问题给我任何帮助或建议吗?