如何在一个账户中设置 AWS SNS 以便能够接收来自其他账户的 SES 的通知?
How to set up AWS SNS in one account to be able to receive notifications from SES of other account?
我有两个 AWS 账户:
- 帐户 1 (111111111111) 包含简单通知服务主题(电子邮件事件主题)
- 帐户 2 (222222222222) 包含带配置集的简单电子邮件服务 (Configuration_Set_01)。
我想将 SNSDestination 添加到 Configuration_Set_01 - 以便能够将 SES 事件通知发布到 电子邮件事件主题
我为电子邮件事件主题设置了以下主题策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222222:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
当我尝试将 SNSDestination 添加到 Configuration_Set_01 时,引用 Email Events Topic,它给我一个错误 无法访问 SNS 主题 <…> …:
如果Email Events Topic的策略如下,则可以成功添加目的地:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
这个有效:
"Principal": {
"AWS": "*"
}
这行不通:
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
}
正如我在此处看到的那样 https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html - 第二个选项中 Principal.AWS 值的语法是正确的。
如何在 电子邮件事件主题 上正确设置主题策略,以便能够仅将其作为事件目标添加到帐户 2 的 SES 配置集(或任何帐户 2 的服务) )?
如果问题不仅仅与主题策略有关,还应该采取什么措施来解决问题?
您共享的示例 link 适用于 S3 资源策略。您能否尝试按以下方式编辑来自 SNS document 的政策?
{
"Version":"2012-10-17",
"Id":"AWSAccountTopicAccess",
"Statement" :[
{
"Sid":"give-1234-publish",
"Effect":"Allow",
"Principal" :{
"AWS":"111122223333"
},
"Action":["sns:Publish"],
"Resource":"arn:aws:sns:us-east-1:444455556666:MyTopic"
}
]
}
此外,您还可以将 "AWS:SourceAccount" 条件键与 Principal * 一起使用。
这里是主题策略,它适用于所描述的情况:
{
"Version": "2012-10-17",
"Id": "MyTopicPolicy",
"Statement": [
{
"Sid": "sid001",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
}
]
}
棘手的部分是 Condition -> ArnLike:
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
我有两个 AWS 账户:
- 帐户 1 (111111111111) 包含简单通知服务主题(电子邮件事件主题)
- 帐户 2 (222222222222) 包含带配置集的简单电子邮件服务 (Configuration_Set_01)。
我想将 SNSDestination 添加到 Configuration_Set_01 - 以便能够将 SES 事件通知发布到 电子邮件事件主题
我为电子邮件事件主题设置了以下主题策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222222:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
当我尝试将 SNSDestination 添加到 Configuration_Set_01 时,引用 Email Events Topic,它给我一个错误 无法访问 SNS 主题 <…> …:
如果Email Events Topic的策略如下,则可以成功添加目的地:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic"
}
]
}
这个有效:
"Principal": {
"AWS": "*"
}
这行不通:
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
}
正如我在此处看到的那样 https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html - 第二个选项中 Principal.AWS 值的语法是正确的。
如何在 电子邮件事件主题 上正确设置主题策略,以便能够仅将其作为事件目标添加到帐户 2 的 SES 配置集(或任何帐户 2 的服务) )?
如果问题不仅仅与主题策略有关,还应该采取什么措施来解决问题?
您共享的示例 link 适用于 S3 资源策略。您能否尝试按以下方式编辑来自 SNS document 的政策?
{
"Version":"2012-10-17",
"Id":"AWSAccountTopicAccess",
"Statement" :[
{
"Sid":"give-1234-publish",
"Effect":"Allow",
"Principal" :{
"AWS":"111122223333"
},
"Action":["sns:Publish"],
"Resource":"arn:aws:sns:us-east-1:444455556666:MyTopic"
}
]
}
此外,您还可以将 "AWS:SourceAccount" 条件键与 Principal * 一起使用。
这里是主题策略,它适用于所描述的情况:
{
"Version": "2012-10-17",
"Id": "MyTopicPolicy",
"Statement": [
{
"Sid": "sid001",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:email-events-topic",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}
}
]
}
棘手的部分是 Condition -> ArnLike:
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:ses:us-east-1:222222222222:*"
}
}