我有一个 CloudFormation 模板。问题区域是最后一个资源语句,但我不明白为什么。
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation Template for Amazon Cognito
Resources:
DummyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
IdentityPoolName: Dummy
DummyUserPool:
Type: AWS::Cognito::UserPool
Properties:
DeletionProtection: 'ACTIVE'
EnabledMfas:
- 'SMS_MFA' #SMS_MFA can only be enabled if SMS configuration is provided.
MfaConfiguration: 'ON'
SmsConfiguration:
ExternalId: Test
SnsCallerArn: !GetAtt SnsSmsCallerRole.Arn
SnsRegion: !Ref AWS::Region
SnsSmsCallerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cognito-idp.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: CognitoSNSPublish
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:Publish
Resource:
- Fn::Sub: arn:aws:sns:*:*:*
当我将“CognitoSNSPublish”策略下的资源设置为通配符(如
Resource: *
)时,模板就会部署,并且它可以工作,可以部署。
问题是,当我将资源更改为特定的时,例如 Resource: arn:aws:sns:*:*:*
、Resource: arn:aws:sns:sns:*:*
、Resource: arn:aws:sns:<my-region>:*:*
或 Resource: arn:aws:sns:<my-region>:<my-account-id>:*
,它会失败并出现以下错误:
Resource handler returned message: "Role does not have permission to publish with SNS (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 338a4-9de1-47f0536218f0)" (RequestToken: 101a93b5-q0lo-5e4c-810d-lol22j2nsa2, HandlerErrorCode: InvalidRequest)
sns:Publish
动作仅适用于 sns
。它不能与任何其他服务一起使用。因此 Resource: *
将有效地将您的行动限制为仅 sns
。