您好,我使用 CDK 添加了一个 SNS 主题,并附加了如下自定义策略声明:
const snsTopic = new Topic(this, 'SnsTopic');
const snsTopicPolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
actions: ['SNS:Publish'],
principals: [
new ArnPrincipal('arn:xxx'),
new ArnPrincipal('arn:xxx'),
],
resources: ['SNS_TOPIC_ARN'],
});
snsTopicPolicyStatement.sid = 'publishStatementId';
snsTopic.addToResourcePolicy(snsTopicPolicyStatement);
但这在某种程度上是该主题拥有的唯一访问策略,而如果我只是创建一个新主题而不附加任何自定义策略,它看起来像:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:xxx",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "xxx"
}
}
},
]
}
所以我想知道如何同时添加此默认访问策略和自定义访问策略?
您可以使用内置的 grantPublish 方法,而不是创建自己的策略声明吗?
const topic = new Topic(this, 'MyTopic')
topic.grantPublish(new ArnPrincipal('arn:xxx'))
topic.grantPublish(new ArnPrincipal('arn:yyy'))
您可以重新添加默认资源策略
const snsTopic = new Topic(this, 'SnsTopic');
snsTopic.addToResourcePolicy(new PolicyStatement({
actions: [ "SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"],
principals: [AnyPrincipal()],
resources: [snsTopic.topicArn],
conditions: {
"StringEquals": {
"AWS:SourceOwner": this.account,
},
},
}));
...
snsTopic.addToResourcePolicy(snsTopicPolicyStatement);