来自账户 A 的 AWS Cloudwatch 警报无法发布到账户 B 中的 SNS 主题
AWS Cloudwatch alarm from Account A unable to publish to SNS topic in Account B
就在我认为我已经对跨组织权限进行排序时,我被 CloudWatch 警报和 SNS 困住了。
已尝试多种选择,但无法获得有关 SNS 主题的正确访问策略。 Cloudwatch 和 SNS 主题位于同一区域,但同一组织中的不同帐户。当然我不需要中间的 lambda 来管理它,AWS 现在对 CloudWatch 有跨组织支持。下面几个选项我都试过了。
SNS Topic 在账号A = 1111111111
Cloudwatch报警在账号B = 22222222
选项 1 - 帐户 B 具有 SNS 主题的发布权限
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 2 - 授予 Cloudwatch 服务访问权限以发布到 SNS 主题
{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal":
{
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 3 - 跨组织权限,我也更新了账户 B 中的 IAM 角色
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
选项 3 应该按照 AWS documentation 工作,但你说他们在同一地区。
在这方面它们是不同的区域。一个是 us-east-1,一个是 us-east-2。这些共享同一区域很重要。
还要验证选项 3 应该是 SNS 主题策略,而不是 IAM 用户或角色。
要修改它,请转到控制台中的 SNS 主题,select 编辑,然后添加到 "Access Policy" 部分中的语句。
选项3正确。但是,这在 Acc B 中不是 IAM 角色。它应该作为声明添加到 Acc A 的主题策略中。
假设您在 Acc A 中有默认主题策略,添加新语句后,您将:
ACC A 中的 SNS 主题策略
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111111111111"
}
}
},
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
]
}
就在我认为我已经对跨组织权限进行排序时,我被 CloudWatch 警报和 SNS 困住了。 已尝试多种选择,但无法获得有关 SNS 主题的正确访问策略。 Cloudwatch 和 SNS 主题位于同一区域,但同一组织中的不同帐户。当然我不需要中间的 lambda 来管理它,AWS 现在对 CloudWatch 有跨组织支持。下面几个选项我都试过了。
SNS Topic 在账号A = 1111111111 Cloudwatch报警在账号B = 22222222
选项 1 - 帐户 B 具有 SNS 主题的发布权限
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 2 - 授予 Cloudwatch 服务访问权限以发布到 SNS 主题
{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal":
{
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 3 - 跨组织权限,我也更新了账户 B 中的 IAM 角色
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
选项 3 应该按照 AWS documentation 工作,但你说他们在同一地区。
在这方面它们是不同的区域。一个是 us-east-1,一个是 us-east-2。这些共享同一区域很重要。
还要验证选项 3 应该是 SNS 主题策略,而不是 IAM 用户或角色。
要修改它,请转到控制台中的 SNS 主题,select 编辑,然后添加到 "Access Policy" 部分中的语句。
选项3正确。但是,这在 Acc B 中不是 IAM 角色。它应该作为声明添加到 Acc A 的主题策略中。
假设您在 Acc A 中有默认主题策略,添加新语句后,您将:
ACC A 中的 SNS 主题策略
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111111111111"
}
}
},
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
]
}