个人中心
gpt4 book ai didi

amazon-sns - 允许CloudWatch Alarm以其他帐户发送到SNS

转载 作者:行者123 更新时间:2023-12-04 03:56:30 24 4
gpt4 key购买 nike

我在帐户“A”中有一个SNS主题,这是该帐户中Lambda函数的触发器。此Lambda函数将消息发送到专用的Slack channel 。

只要CloudWatch警报位于同一帐户(帐户A)中,此方法就可以正常工作。

但是我也想通过“帐户B”执行此操作,但是我得到了:

{
  "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "actionState": "Failed",
  "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
  "stateUpdateTimestamp": 1495732611020,
  "publishedMessage": null
}

那么,如何允许CloudWatch Alarm ARN访问权限发布到该主题?

尝试添加策略失败,并显示以下信息: 
Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

我在 https://forums.aws.amazon.com/thread.jspa?threadID=143607上看到其他人/曾经有过同样的问题(几年前!),但是从未有人回答过。

更新:

为了解决这个问题,我现在尝试使用本地SNS主题,然后将其发送到删除帐户。但是,我仍然得到: 
"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

通过此SNS政策,这是: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    }
  ]
}

如果我使用 手动将消息发送到主题Publish to topic ,则可以看到它达到了Lambda函数,因此除CloudWatch访问权限外的所有内容。

最佳答案

通过反复试验,我发现条件不起作用。因为某些原因。不确定为什么看不到源帐户...

更广泛的政策使其得以发挥作用:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaAccountToSubscribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
      },
      "Action": [
        "sns:Subscribe",
        "sns:Receive"
      ],
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
    },
    {
      "Sid": "AllowLocalAccountToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "LOCAL_ACCOUNT"
        }
      }
    },
    {
      "Sid": "AllowCloudWatchAlarmsToPublish",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*"
        }
      }
    }
  ]
}

关于amazon-sns - 允许CloudWatch Alarm以其他帐户发送到SNS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44186837/

24 4 0
文章推荐: spring-boot - Spring Boot RestController 不返回 JSON 数据
文章推荐: android-intent - 通过 WebView 从图库和相机中选择图像在 Android 6.0 Marshmallow 中不起作用
文章推荐: r - 使用模糊逻辑连接两个数据集
文章推荐: firebase - 确保第三方无法读取我们 Firebase 实时数据库中的数据
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com