【发布时间】:2021-04-09 01:37:55
【问题描述】:
我正在编写一个用于构建 ECR 存储库的 cloudformation 模板。我使用事件模式构建了它,仅当图像扫描具有高或严重漏洞时才会在图像被推送到存储库时通知我。为了简单起见,我首先构建了它,而不是向 SNS 发送通知,它只是在 Cloudwatch 日志中创建了一个日志条目。这一切都运作良好,但现在我正试图让它通过 SNS 发送电子邮件,但我遇到了问题。我在主题策略中尝试了几种不同的方法,例如 !GetAtt ScanReportTopic.arn 作为 Resources 的值,我还尝试了 Resources: "*" 和其他一些方法。
我不确定还可以尝试什么。这是我正在使用的模板(电子邮件混淆)
Resources:
EventBusTestRuleCritical:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
CRITICAL:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
EventBusTestRuleHigh:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
HIGH:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
ECRTestRepo:
Type: AWS::ECR::Repository
Properties:
RepositoryName: TestScanRepo #Optional
ImageScanningConfiguration:
scanOnPush: "true"
ScanReportTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: scanTopic #Optional
Subscription:
- Endpoint: notreal@fakemail.com
Protocol: email
# TopicName: Optional
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
-
!Ref ScanReportTopic
PolicyDocument:
Id: !Ref ScanReportTopic
Statement:
- Sid: __default_statement_ID
Effect: Allow
Action: sns:Publish
Resource: !Ref ScanReportTopic
Principal: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default'
【问题讨论】:
标签: amazon-web-services amazon-cloudformation amazon-iam amazon-sns