然而,我希望我的SNS主题被加密。当我使用
alias/aws/sns
密钥打开SNS主题加密时,我在Cloudwatch消息历史记录中收到以下消息:{
"actionState": "Failed",
"stateUpdateTimestamp": 123456778899,
"notificationResource": "arn:aws:sns:xx-region-y:zzzzzzzzzz:topic_name",
"publishedMessage": null,
"error": "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ccccccccccccccccccc)"
}
这似乎不是Cloudwatch的IAM问题,而是SNS本身未被授权使用KMS资源。
我喜欢使用IAM策略模拟器来识别IAM用户权限不足的地方,但似乎没有办法验证服务对其他服务的访问权限。我能管理吗?
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
我也尝试了使用以下策略的CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "route53.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXX:role/OrganizationAccountAccessRole"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
我基本上是在盲目地猜测原则,但我认为对于SNS,
sns.amazonaws.com
和Cloudwatch的events.amazonaws.com
都有验证。我也收到了完全相同的错误,
"null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ccccccccccccccccccc)"
,在使用CMK时也出现了这种情况。我可以理解我的CMK不能正常工作,但我认为Amazon管理的密钥应该可以直接使用。
我尝试使用授予
sns.amazonaws.com
和 events.amazonaws.com
带有 kms:*
权限的 CMK。但出现了相同的错误。