Encryption 无服务器,加密aws上的主题
我正在AWS上使用无服务器创建一个主题。这一切都很好,但是我想用SSE加密这个主题。我该怎么做呢。yaml文件的格式应该是什么。到目前为止我有Encryption 无服务器,加密aws上的主题,encryption,amazon-ses,serverless,Encryption,Amazon Ses,Serverless,我正在AWS上使用无服务器创建一个主题。这一切都很好,但是我想用SSE加密这个主题。我该怎么做呢。yaml文件的格式应该是什么。到目前为止我有 MyTopic: Type: AWS::SNS::Topic Properties: TopicName: MyTopic MyTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: Topics: - Ref: MyTopic PolicyDocume
MyTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: MyTopic
MyTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- Ref: MyTopic
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: AllowSubscribe
Effect: Allow
Principal:
AWS: <ID>
Action:
- SNS:Subscribe
Resource: !Ref MyTopic
MyTopic:
类型:AWS::SNS::Topic
特性:
主题名称:MyTopic
MyTopicPolicy:
类型:AWS::SNS::TopicPolicy
特性:
话题:
-参考:我的主题
政策文件:
Id:MyTopicPolicy
版本:'2012-10-17'
声明:
-Sid:允许订阅
效果:允许
负责人:
美国焊接学会:
行动:
-SNS:订阅
资源:!参考我的主题
只需添加KmsMasterKeyId
MyTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: MyTopic
KmsMasterKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
来源:正如上述答案所示,您需要在SNS主题定义中引用KMS键。您可以使用SNS的默认KMS密钥(别名
aws/SNS
),也可以创建自己的密钥
您可以查看下面的CloudFormation,了解如何使用自己的KMS密钥在同一模板中创建加密的主题和KMS密钥。密钥策略设置为允许整个AWS帐户进行管理和使用,尽管您可能希望使用最小特权原则将其锁定,这取决于您工作环境的安全要求
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Demo template for Encrypted SNS Topic
Resources:
SNSKMSKey:
Type: 'AWS::KMS::Key'
Properties:
Description: Demo KMS Key Policy
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Id: KmsKeyPolicy
Statement:
- Sid: SimpleKeyPolicyAllowAccountAdmin
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:*'
Resource: '*'
- Sid: SimpleKeyPolicyAllowAccountUsage
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:Decrypt'
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: '*'
SNSKmeKeyAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: !Sub "alias/${AWS::StackName}-SNSEncryptionKey"
TargetKeyId: !Ref SNSKMSKey
# -- Encrypted SNS Topic -- #
EncryptedSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "${AWS::StackName}-EncryptedSNSTopic"
KmsMasterKeyId: !Ref SNSKMSKey
Outputs:
KmsKeyId:
Value: !Ref SNSKMSKey
TopicArn:
Value: !Ref EncryptedSNSTopic
如果您正在寻找一个带有默认KMS的简单SNS主题,下面是语法。我还添加了电子邮件订阅。您可以根据需要更改订阅:
RedshiftNotificationTopicSNS:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: alias/aws/sns
Subscription:
- Endpoint: !Ref NotificationEmailId
Protocol: email
感谢您的帮助,
KmsMasterKeyId
说明了什么。这是否会自动拾取?这类似于指定ARN。如果答案有帮助,请将其标记为正确答案。谢谢