【发布时间】:2017-12-14 15:27:10
【问题描述】:
【问题讨论】:
标签: amazon-web-services amazon-cloudformation amazon-sns
【发布时间】:2017-12-14 15:27:10
【问题描述】:
正如其中一个 cmets 所指出的,您不想使用 AWS:* 作为委托人,因为它授予任何拥有 AWS 账户访问权限的人。
要创建 SNS 主题并限制对某些服务或帐户中任何人的访问,请使用以下示例。
“AllowServices”SID 显示如何添加多个服务,而 AllowAWS 允许帐户中的任何内容访问它。
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
Email:
Type: String
Default: <your name here>
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
TopicName: TestTopic
Subscription:
- Endpoint: !Ref Email
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: AllowServices
Effect: Allow
Principal:
Service:
- events.amazonaws.com
- cloudwatch.amazonaws.com
Action: 'sns:Publish'
Resource:
- !Ref Topic
- Sid: AllowAWS
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: 'sns:Publish'
Resource:
- !Ref Topic
Topics:
- !Ref Topic
【讨论】:
你可以使用这个-我已经删除了锁定自己帐户的默认条件
SNSAccessPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: <Yourtopic>
Statement:
-
Action:
- "sns:Publish"
- "SNS:GetTopicAttributes"
- "SNS:SetTopicAttributes"
- "SNS:AddPermission"
- "SNS:RemovePermission"
- "SNS:DeleteTopic"
- "SNS:Subscribe"
- "SNS:ListSubscriptionsByTopic"
- "SNS:Publish"
- "SNS:Receive"
Effect: Allow
Principal:
AWS: "*"
Resource:
Ref: <Yourtopic>
Topics:
-
Ref: <Yourtopic>
【讨论】:
-
不要使用它 - 它授予任何拥有您的 SNS 的人删除、修改等的能力。
-
我将它用于我的用例,它只需要事件服务的“sns:Publish”权限
我认为您需要一个 AWS::SNS::TopicPolicy 资源。看看这个链接AWS::SNS::TopicPolicy
【讨论】: