Amazon web services 允许帐户中的任何AWS资源发布到SQS队列
,此策略允许任何S3 bucket向SNS主题发送通知:Amazon web services 允许帐户中的任何AWS资源发布到SQS队列,amazon-web-services,amazon-sqs,Amazon Web Services,Amazon Sqs,,此策略允许任何S3 bucket向SNS主题发送通知: { "Version":"2012-10-17", "Id":"MyAWSPolicy", "Statement" :[ { "Sid":"My-statement-id", "Effect":"Allow", "Principal" :"*", "Action":"sns:Publish",
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"444455556666"
}
}
}
]
}
我想对SQS队列而不是SNS主题执行同样的操作。此策略不起作用:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:111122223333:*"
}
}
}
]
}
这(允许世界上的每个AWS帐户)起作用:
但当我试图用校长来限制它时,它又不起作用了:
{
"Version":"2012-10-17",
"Id":"MyAWSPolicy",
"Statement" :[
{
"Sid":"My-statement-id",
"Effect":"Allow",
"Principal" :"111122223333",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:s3:*:*:*"
}
}
}
]
}
“不工作”是指策略被接受为有效,但当我尝试配置S3 bucket以发送通知(NotificationConfiguration)时,会出现以下错误:
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket
负责人是将文件上载到S3的用户吗?我不认为这将成为AWS向SNS发送S3通知的主要方式。你到底想完成什么?您是否试图限制一个bucket向SNS主题发送通知?或者你试图限制一个bucket的一个用户触发SNS主题的通知吗?我试图使SQS可以从S3中上传的任何内容写入,因为只有为此AWS帐户创建的AWS IAM用户才能上传文件。除了避免来自其他帐户的通知之外,我对限制访问不感兴趣。
Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket