我在账户A中创建了一个SNS主题,策略如下。
{
"Sid": "Give Access to Different Account Queues to subscribe to my topic",
"Effect": "Allow",
"Principal":{
"AWS": "AccountId of Account B"
},
"Action": "sns:Subscribe",
"Resource": "Arn of my SNS topic present in Account A",
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"ForAllValues:StringEquals": {
"sns:Endpoint": [
"Arn of Queue A present in Account B", "Arn Queue B present in Account B"
]
}
}
}
在账户A中创建了上述主题和策略后,我通过控制台登录到账户B,并试图将队列C订阅到我的SNS主题,然后订阅成功,队列收到了确认订阅的消息!但理想的情况是,在上述策略之后,只有队列A和队列B能够订阅我的SNS主题。但理想的情况是,在上述策略之后,只有队列A和队列B能够订阅我的SNS主题。
你的策略对我来说工作得很好,但我不得不改变了 Principal 以供参考 arn:aws:iam::ACCOUNT-B:root. (我不记得我从哪里得到的,但它出现在某个阶段)。
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": "sns:Subscribe",
"Resource": "arn:aws:sns:ap-southeast-2:ACCOUNT-A:topic",
"Condition": {
"StringEquals": {
"sns:Protocol": "sqs"
},
"ForAllValues:StringEquals": {
"sns:Endpoint": [
"arn:aws:sqs:ap-southeast-2:ACCOUNT-B:queue1",
"arn:aws:sqs:ap-southeast-2:ACCOUNT-B:queue2"
]
}
}
}
]
}
我能够从 queue1 和 queue2但不是 queue3.