如评论中所指出的那样,您不应使用AWS:*作为主体,因为它授予拥有AWS账户的任何人访问权限。
要创建SNS主题并限制对某些服务或帐户中的任何人的访问,请使用以下示例。
“AllowServices” SID 显示如何添加多个服务,而 AllowAWS 允许账户中的任何内容都可以访问它。
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
Email:
Type: String
Default: <your name here>
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
TopicName: TestTopic
Subscription:
- Endpoint: !Ref Email
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: AllowServices
Effect: Allow
Principal:
Service:
- events.amazonaws.com
- cloudwatch.amazonaws.com
Action: 'sns:Publish'
Resource:
- !Ref Topic
- Sid: AllowAWS
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: 'sns:Publish'
Resource:
- !Ref Topic
Topics:
- !Ref Topic
您可以使用这个-我已经删除了默认条件,该条件会锁定自己的帐户
SNSAccessPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: <Yourtopic>
Statement:
-
Action:
- "sns:Publish"
- "SNS:GetTopicAttributes"
- "SNS:SetTopicAttributes"
- "SNS:AddPermission"
- "SNS:RemovePermission"
- "SNS:DeleteTopic"
- "SNS:Subscribe"
- "SNS:ListSubscriptionsByTopic"
- "SNS:Publish"
- "SNS:Receive"
Effect: Allow
Principal:
AWS: "*"
Resource:
Ref: <Yourtopic>
Topics:
-
Ref: <Yourtopic>