Amazon s3 “如何修复”;无法验证以下目标配置";以什么形式?
我正在编写一个CloudFormation,它创建一个S3 bucket和一个SQS队列。在同一个CFN中,我尝试允许S3 bucket向SQS队列发送消息。我不断地发现这个错误: 无法验证以下目标配置 昨天我花了大约12个小时进行反复试验。我想我现在已经阅读了所有关于这个话题的文章。大多数似乎都是关于Lambdas或SNS的话题,但过程应该是一样的。我曾尝试在S3存储桶中添加DependsOn,以便在存储桶之前创建SQS策略,但没有成功。然后我做了另一个建议的解决方案,即创建bucket和sqs,然后为sqs bucket创建允许s3发布到它的策略,最后创建通知。我成功创建了通知 以下是我创建的sqs:Amazon s3 “如何修复”;无法验证以下目标配置";以什么形式?,amazon-s3,yaml,amazon-cloudformation,amazon-sqs,Amazon S3,Yaml,Amazon Cloudformation,Amazon Sqs,我正在编写一个CloudFormation,它创建一个S3 bucket和一个SQS队列。在同一个CFN中,我尝试允许S3 bucket向SQS队列发送消息。我不断地发现这个错误: 无法验证以下目标配置 昨天我花了大约12个小时进行反复试验。我想我现在已经阅读了所有关于这个话题的文章。大多数似乎都是关于Lambdas或SNS的话题,但过程应该是一样的。我曾尝试在S3存储桶中添加DependsOn,以便在存储桶之前创建SQS策略,但没有成功。然后我做了另一个建议的解决方案,即创建bucket和sq
SQSBiaData:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref Queue
Tags:
- Key: 'Environment'
Value: !Ref Environment
S3BucketBiaData:
Type: AWS::S3::Bucket
DependsOn:
- SQSBiaPolicy
DeletionPolicy: Retain
Properties:
AccessControl: Private
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: 'Environment'
Value: !Ref Environment
NotificationConfiguration:
QueueConfigurations:
- Event: 's3:ObjectCreated:*'
Queue: 'arn:aws:sqs:us-east-1:123456:bia-data'
Filter:
S3Key:
Rules:
- Name: 'prefix'
Value: 'manifest/'
以下是我的sqs政策:
SQSBiaPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref SQSBiaData
PolicyDocument:
Statement:
- Sid: SendMessage
Effect: Allow
Principal:
AWS: !Ref AccountNumber
Action: SQS:SendMessage
Resource:
- 'arn:aws:sqs:us-east-1:123456:bia-data'
Condition:
ArnLike:
aws:SourceArn:
Fn::Join:
- ''
- - 'arn:aws:s3:*:*:'
- 'bia-data'
以下是我的bucket创建:
SQSBiaData:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref Queue
Tags:
- Key: 'Environment'
Value: !Ref Environment
S3BucketBiaData:
Type: AWS::S3::Bucket
DependsOn:
- SQSBiaPolicy
DeletionPolicy: Retain
Properties:
AccessControl: Private
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: 'Environment'
Value: !Ref Environment
NotificationConfiguration:
QueueConfigurations:
- Event: 's3:ObjectCreated:*'
Queue: 'arn:aws:sqs:us-east-1:123456:bia-data'
Filter:
S3Key:
Rules:
- Name: 'prefix'
Value: 'manifest/'
最后,这是我的桶政策:
S3BucketBiaPolicies:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref BucketName
PolicyDocument:
Statement:
- Sid: DenyInsecureConnections
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
Bool:
aws:SecureTransport: 'false'
- Sid: DenyPublicReadGrant
Effect: Deny
Principal:
AWS: "*"
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
StringLike:
s3:x-amz-grant-read:
- "*http://acs.amazonaws.com/groups/global/AllUsers*"
- "*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
- Sid: OnlyAllowVPCAccess
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
ForAnyValue:StringNotEquals:
'aws: sourceVpce': !Ref VPCs
我预计CFN将按以下顺序进行:
谢谢 虽然我不知道您的问题的确切原因,但我建议您更频繁地使用伪参数,以简化调试 我将用
${AWS::Region}
替换“us-east-1”,用${AWS::AccountId}
替换“123456”
我也会用一个!在S3定义中引用队列时获取ATT。而不是队列:“arn:aws:sqs:us-east-1:123456:bia数据”
队列:!GetAtt SQSBiaData.Arn
最后,我将在SQS策略的最后一行中使用参数“BucketName”作为参考
这些更改可能会使此处的用户更容易调试