我正在 AWS 上使用无服务器创建主题。这一切正常,但是我想使用 SSE 加密主题。我如何完成这项工作。 yaml文件的格式应该是什么。到目前为止我有
MyTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: MyTopic
MyTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- Ref: MyTopic
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: AllowSubscribe
Effect: Allow
Principal:
AWS: <ID>
Action:
- SNS:Subscribe
Resource: !Ref MyTopic
最佳答案
如上述答案所示,您需要在 SNS 主题定义中引用 KMS key 。您可以为 SNS 使用默认的 KMS key (别名 aws/sns),也可以创建自己的
您可以查看下面的 CloudFormation,了解如何在同一模板中创建加密主题和 KMS key - 使用您自己的 KMS key 。 key 策略设置为允许整个 AWS 账户进行管理和使用,但您可能希望使用最小权限原则来锁定它,具体取决于您所在环境的安全要求。
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Demo template for Encrypted SNS Topic
Resources:
SNSKMSKey:
Type: 'AWS::KMS::Key'
Properties:
Description: Demo KMS Key Policy
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Id: KmsKeyPolicy
Statement:
- Sid: SimpleKeyPolicyAllowAccountAdmin
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:*'
Resource: '*'
- Sid: SimpleKeyPolicyAllowAccountUsage
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:Decrypt'
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: '*'
SNSKmeKeyAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: !Sub "alias/${AWS::StackName}-SNSEncryptionKey"
TargetKeyId: !Ref SNSKMSKey
# -- Encrypted SNS Topic -- #
EncryptedSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "${AWS::StackName}-EncryptedSNSTopic"
KmsMasterKeyId: !Ref SNSKMSKey
Outputs:
KmsKeyId:
Value: !Ref SNSKMSKey
TopicArn:
Value: !Ref EncryptedSNSTopic
关于encryption - 无服务器,在 aws 上加密主题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58809744/