我在 cloudformation 控制台中获得了具有逻辑 ID MyBucket
的 S3 存储桶的状态 UPDATE_FAILED
,并通过以下状态原因进行了解释:
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: ABCDEFGHIJK; S3 Extended Request ID: Aqd2fih3ro981DED8wq48io9e51rSD5e3Fo3iw5ue31br; Proxy: null)
我有以下 CloudFormation 模板:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
NotificationConfiguration:
QueueConfigurations:
- Event: s3:ObjectCreated:Put
Filter:
S3Key:
Rules:
- Name: suffix
Value: jpg
Queue: !GetAtt MyQueue.Arn
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: my-queue
KmsMasterKeyId: alias/an-encryption-key
MyQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref MyQueue
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- s3.amazonaws.com
Action: SQS:SendMessage
Resource: !GetAtt MyQueue.Arn
EncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: '2012-10-17'
Id: some-id
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
EncryptionKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/an-encryption-key
TargetKeyId: !Ref EncryptionKey
为了使 CloudFormation 堆栈成功,我应该对模板执行哪些更改? 状态原因太模糊,我无法理解出了什么问题。 我知道它与通知配置有关,因为如果我删除它,CloudFormation 就会成功。 Stackoverflow 上的其他类似帖子提到了队列策略缺失或不准确,但由于我有队列策略,我认为这不是问题所在。
最佳答案
问题是,由于在队列上启用了服务器端加密,S3 应该能够:
- 让 KMS 生成适当的数据 key
- 能够使用 EncryptionKey 进行解密
添加一条以 S3 服务为主体的语句,以允许上述操作:
- Effect: Allow
Principal:
Service: s3.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: "*"
关于amazon-web-services - 无法使用已配置的 SQS 策略验证 Cloudformation 中 S3 到 SQS 通知的以下目标配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65144011/