logo标签列表

AWS:将事件桥事件转发到加密的 SQS(使用亚马逊托管密钥)

amazon-web-servicesamazon-sqsaws-event-bridge
7

我有一个事件总线,并创建了一个事件规则,将事件转发到SQS队列。现在我启用了队列的加密功能,使用默认的Amazon托管密钥(别名/ aws / sqs)。

启用加密后,事件不再转发。在研究AWS文档时,我只找到关于使用CMK进行加密的信息,但没有关于Amazon托管密钥的信息。

我猜这是一个权限问题,但不确定。以下是我的事件规则和访问策略:

  queueCreateInvoiceEvent:
    Type: AWS::Events::Rule
    DependsOn: [myQueue]
    Properties:
      Description: Forward INVOICE_CREATED event to SQS queue
      EventBusName: ${self:custom.eventBus.name}
      EventPattern: { "detail-type": ["INVOICE_CREATED"] }
      Name: ${self:service.name}-${self:provider.stage}-buffer-invoice-created-event
      State: ENABLED
      Targets:
        - Id: myQueue
          Arn:
            Fn::GetAtt: [myQueue, Arn]


  createReceiptQueueAccessPolicy:
    Type: AWS::SQS::QueuePolicy
    DependsOn: [queueCreateInvoiceEvent, myQueue]
    Properties:
      Queues:
        - { Ref: createReceiptQueue }
      PolicyDocument:
        Id: EventBridgeSqsAccessPolicy
        Version: "2012-10-17"
        Statement:
          - Sid: Allow-User-SendMessage
            Effect: Allow
            Principal:
              Service: "events.amazonaws.com"
            Action:
              - sqs:SendMessage
            Resource:
              - Fn::GetAtt: ["myQueue", "Arn"]
            Condition:
              ArnEquals:
                aws:SourceArn:
                  - Fn::GetAtt: ["queueCreateInvoiceEvent", "Arn"]
2个回答
8
根据EventBridge故障排除页面,您的KMS密钥策略需要允许EventBridge访问该密钥。请核实。
{
    "Sid": "Allow EventBridge to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}
2
我不明白为什么EventBridge需要kms:Decrypt,因为它所需做的仅是加密消息并将其放入队列中,这对我来说毫无意义。但是,在我的测试中,拥有kms:Decrypt确实非常重要。 - Nic
我还注意到,尝试使用条件块测试aws:SourceArn总是失败的,因此如果您遇到问题,请尝试从KMS密钥策略中删除条件块。 - Nic
4

补充之前所说的细节。截止到今天(2022-03-04),为了让事件总线(EventBridge)发送到加密的SQS队列,您需要以下几点。参考AWS文档 https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

多个AWS服务作为事件源可以将事件发送到Amazon SQS队列。为了让这些事件源与加密队列配合使用,您必须创建一个客户托管的KMS密钥,并在密钥策略中添加权限以使服务使用所需的AWS KMS API方法。

  1. 客户托管的KMS密钥并具有允许 events.amazonaws.com 某些操作的策略。
  2. SQS队列必须使用该KMS密钥ID进行加密。

以下是所需的两个CloudFormation代码片段。

# KMS key is required to allow eventbridge to send to encrypted sqs queue
# https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
KmsKey:
  Type: AWS::KMS::Key
  Properties:
    Description: my-key-name
    KeyPolicy:
      Version: "2012-10-17"
      Statement:
        - Sid: Allow EventBridge access
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action:
            - kms:GenerateDataKey
            - kms:Decrypt
          Resource: '*'

        - Sid: Allow access for Key Administrators
          Effect: Allow
          Principal:
            AWS:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/my-role-name
              - !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
            - kms:*
          Resource: '*'

EventRuleQueue:
  Type: AWS::SQS::Queue
  Properties:
    QueueName: my-queue-name
    KmsMasterKeyId: !Ref KmsKey
    KmsDataKeyReusePeriodSeconds: 43200 # 12 hours to reduce cost
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接