2
我在帳戶「A」中有一個SNS主題,該帳戶是同一帳戶中Lambda功能的觸發器。此Lambda函數將消息發送到專用Slack通道。允許CloudWatch警報發送到其他帳戶中的SNS
只要CloudWatch警報在同一個帳戶(帳戶A)中,此方法就可以正常工作。
但我也想從「帳戶B」做到這一點,但我得到:
{
"error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
"actionState": "Failed",
"notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC",
"stateUpdateTimestamp": 1495732611020,
"publishedMessage": null
}
那麼,如何讓CloudWatch的警報ARN訪問發佈的話題?與
嘗試添加的政策失敗:
Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)
我看到別人有/有同樣的問題(年前!)在https://forums.aws.amazon.com/thread.jspa?threadID=143607,但它從來沒有回答。
更新:
試圖解決這個問題,我現在正在嘗試使用本地SNS的主題,然後將其發送至刪除帳戶。不過,我仍然得到:
"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
這,這個SNS政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaAccountToSubscribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REMOTE_ACCOUNT:root"
},
"Action": [
"sns:Subscribe",
"sns:Receive"
],
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"
},
{
"Sid": "AllowLocalAccountToPublish",
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "LOCAL_ACCOUNT"
}
}
}
]
}
如果我手動將消息發送到與話題發表主題,我可以看到,它會達到Lambda函數,因此除了CloudWatch訪問權限之外的所有內容。