1. 首頁
  2. 問答
  3. 允許CloudWatch警報發送到其他帳戶中的SNS

允許CloudWatch警報發送到其他帳戶中的SNS

2017-05-25 92 views
2

我在帳戶「A」中有一個SNS主題,該帳戶是同一帳戶中Lambda功能的觸發器。此Lambda函數將消息發送到專用Slack通道。允許CloudWatch警報發送到其他帳戶中的SNS

只要CloudWatch警報在同一個帳戶(帳戶A)中,此方法就可以正常工作。

但我也想從「帳戶B」做到這一點,但我得到:

{ 
    "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "actionState": "Failed", 
    "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "stateUpdateTimestamp": 1495732611020, 
    "publishedMessage": null 
}

那麼,如何讓CloudWatch的警報ARN訪問發佈的話題?與

嘗試添加的政策失敗:

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

我看到別人有/有同樣的問題(年前!)在https://forums.aws.amazon.com/thread.jspa?threadID=143607,但它從來沒有回答。

更新:

試圖解決這個問題,我現在正在嘗試使用本地SNS的主題,然後將其發送至刪除帳戶。不過,我仍然得到:

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

這,這個SNS政策:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "AllowLambdaAccountToSubscribe", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root" 
     }, 
     "Action": [ 
     "sns:Subscribe", 
     "sns:Receive" 
     ], 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 
    }, 
    { 
     "Sid": "AllowLocalAccountToPublish", 
     "Effect": "Allow", 
     "Principal": "*", 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "StringEquals": { 
      "AWS:SourceAccount": "LOCAL_ACCOUNT" 
     } 
     } 
    } 
    ] 
}

如果我手動將消息發送到與話題發表主題,我可以看到,它會達到Lambda函數,因此除了CloudWatch訪問權限之外的所有內容。

來源

2017-05-25 Fransurbo

回答

2

通過反覆試驗,我發現它是條件沒有工作。因爲某些原因。不知道爲什麼它沒有看到源帳戶...

更廣泛的政策,使工作:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "AllowLambdaAccountToSubscribe", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root" 
     }, 
     "Action": [ 
     "sns:Subscribe", 
     "sns:Receive" 
     ], 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 
    }, 
    { 
     "Sid": "AllowLocalAccountToPublish", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "StringEquals": { 
      "AWS:SourceAccount": "LOCAL_ACCOUNT" 
     } 
     } 
    }, 
    { 
     "Sid": "AllowCloudWatchAlarmsToPublish", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "ArnLike": { 
      "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*" 
     } 
     } 
    } 
    ] 
}

來源

2017-05-26 15:10:45 Fransurbo

相關問題

 相關問題