【发布时间】:2020-09-10 22:20:38
【问题描述】:
就在我以为我已对跨组织权限进行排序时,我被 CloudWatch 警报和 SNS 卡住了。 尝试了几种选择,但无法获得有关 SNS 主题的访问策略。 Cloudwatch 和 SNS 主题在同一区域,但在同一组织中的不同帐户。当然,我不需要中间的 lambda 来管理它,AWS 现在已经为 CloudWatch 提供跨组织支持。我尝试过以下几个选项。
SNS 主题在帐户 A = 1111111111 中 Cloudwatch 警报在账户 B = 22222222
选项 1 - 账户 B 拥有 SNS 主题的发布权限
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 2 - 授予 Cloudwatch 服务访问权限以发布到 SNS 主题
{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal":
{
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
}
选项 3 - 跨组织权限,我也更新了账户 B 中的 IAM 角色
{
"Sid": "CrossOrgPublish01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
}
}
}
【问题讨论】:
标签: amazon-web-services amazon-cloudwatch amazon-sns