amazon-web-services - 如何为S3事件编写加密的SQS的策略声明?

标签 amazon-web-services amazon-s3 permissions amazon-sqs aws-kms

我有一个SQS队列,使用来拥有以下策略文档。用于从存储桶接收S3事件:

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

现在,我为队列启用了服务器端加密(SSE)。而且,我遵循this doc编写了用于加密的策略声明。现在的策略声明如下所示:
{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

但是现在,队列没有从存储桶中获取任何有关文件添加的消息。 我的权限有问题吗?

最佳答案

现在这是可能的。从AWS文档中:

部分下的https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3 AWS KMS key 策略

If the SQS queue is SSE enabled, you can attach the following key policy to the associated AWS Key Management Service (AWS KMS) customer managed customer master key (CMK). The policy grants the Amazon S3 service principal permission for specific AWS KMS actions that are necessary for to encrypt messages added to the queue.

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

关于amazon-web-services - 如何为S3事件编写加密的SQS的策略声明?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44585726/

上一篇:amazon-web-services - 如何在 AWS Cloudformation 中使用 create-change-set 创建新堆栈

下一篇:wolfram-mathematica - 在函数中使用剪贴板

相关文章:

android - 如何检查用户是否在运行时在 Android 上授予了权限?

permissions - 媒体维基 1.18.3/1.19.0 : Namespaces restrictions

eclipse - : uploading code to lambda 期间发生内部错误

amazon-web-services - 不使用 route53 将 Cloudflare 指向 AWS EC2 服务器

amazon-web-services - 单独使用 AWS S3 或 S3 和 Cloudfront 进行视频下载

ssl - aws 连接上的 OpenSSL 未知协议(protocol)错误

amazon-web-services - 私有(private) AWS Lambda API 端点

amazon-web-services - CodeCommit 通知不向 SNS 发送事件

javascript - 如何使用 s3 api 和 node.js 将文件上传到 Wasabi 存储桶?

android - 蓝牙权限丢失错误,而我不需要蓝牙

©2024 IT工具网  联系我们