Amazon web services 用户:ARN无权在资源:ARN上执行:SNS:发布(AWS集成错误)
我正在尝试使用AquaSec监控AWS云环境。AquaSec通过提供CloudFormation模板帮助您与AWS环境连接,您可以在AWS环境中部署该模板。部署后,您可以使用AquaSec中的ARN连接/集成两者。Aquasec中的任何警报都将发送到SNS主题,SNS主题将进一步发送到HTTPS端点 这是CloudFormation模板文件Amazon web services 用户:ARN无权在资源:ARN上执行:SNS:发布(AWS集成错误),amazon-web-services,amazon-cloudformation,amazon-iam,amazon-sns,aqua,Amazon Web Services,Amazon Cloudformation,Amazon Iam,Amazon Sns,Aqua,我正在尝试使用AquaSec监控AWS云环境。AquaSec通过提供CloudFormation模板帮助您与AWS环境连接,您可以在AWS环境中部署该模板。部署后,您可以使用AquaSec中的ARN连接/集成两者。Aquasec中的任何警报都将发送到SNS主题,SNS主题将进一步发送到HTTPS端点 这是CloudFormation模板文件 { "AWSTemplateFormatVersion": "2010-09-09", "Descript
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Aqua CSPM security scanner cross-account role",
"Parameters": {
"ExternalId": {
"Type": "String",
"Description": "The external ID auto-generated from the Aqua Cloud dashboard. Do not change this value.",
"AllowedPattern": "[-a-z0-9]*",
"ConstraintDescription": "Must be lowercase or numbers, no spaces, dashes ok."
}
},
"Resources": {
"AquaCSPMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-api"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-collector"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-remediator"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-tasks"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
}
]
},
"Policies": [
{
"PolicyName": "aqua-cspm-supplemental-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"athena:GetWorkGroup",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"elastictranscoder:ListPipelines",
"elasticfilesystem:DescribeFileSystems",
"servicequotas:ListServiceQuotas",
"ssm:ListAssociations",
"dlm:GetLifecyclePolicies",
"airflow:ListEnvironments",
"glue:GetSecurityConfigurations",
"devops-guru:ListNotificationChannels"
],
"Resource": "*"
}
]
}
}
],
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/SecurityAudit"
]
}
}
},
"Outputs": {
"AquaCSPMeArn": {
"Description": "The role ARN of the cross-account user. Copy this into Aqua Cloud.",
"Value": {
"Fn::GetAtt": [
"AquaCSPMRole",
"Arn"
]
}
},
"StackVersion": {
"Description": "The Aqua CSPM stack version.",
"Value": "2.0"
}
}
}
我正在尝试设置一个亚马逊SNS主题,使用它在Aquasec的ARN发送警报。一旦我创建了一个SNS主题,并在Aquasec复制了它的ARN,并尝试了一个测试通知-我不断收到错误
{
“消息”:“用户:arn:aws:sts::057012691312:假定角色/lambda cloudsploit api/cloudsploit api未被授权执行:SNS:Publish on resource:arn:aws:SNS:us-east-1:940386435759:示例水集成”,
“代码”:“授权错误”,
“时间”:“2021-04-19T22:15:54.463Z”,
“请求ID”:“bc808944-3430-5683-aed1-d1bc376a70f5”,
“状态代码”:403,
“可检索”:错误,
“retryDelay”:50.2772842473471
}
我已经尝试了几乎所有可能的方法-在SNS主题中更改主题策略(“原则”字段的各种组合),尝试在特定IAM角色中授予权限。似乎什么都不管用,我也犯了同样的错误。
我觉得它与模板文件有关(在“assumeRole”配置中)
有没有关于如何改变/尝试什么的建议?
谢谢您的保单是什么?SNS主题策略?Lambda执行角色?用户策略?第一个是集成aquasec和aws的cloudformation模板,第二个是执行SNS主题时的错误