时间戳

首页 > 解决方案 > 来自账户 A 的 AWS Cloudwatch 警报无法发布到账户 B 中的 SNS 主题

amazon-web-services - 来自账户 A 的 AWS Cloudwatch 警报无法发布到账户 B 中的 SNS 主题

问题描述

就在我以为我已对跨组织权限进行排序时,我被 CloudWatch 警报和 SNS 困住了。已尝试多种选择,但无法获得有关 SNS 主题的访问策略。Cloudwatch 和 SNS 主题在同一区域,但在同一组织中的不同帐户。当然,我不需要中间的 lambda 来管理它,AWS 现在已经为 CloudWatch 提供跨组织支持。我尝试过以下几个选项。

SNS 主题在账户 A = 1111111111 Cloudwatch 警报在账户 B = 22222222

选项 1 - 账户 B 拥有 SNS 主题的发布权限

{
    "Sid": "__console_pub_0",
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::111111111111:root",
        "arn:aws:iam::222222222222:root"
      ]
    },
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
  }

选项 2 - 授予 Cloudwatch 服务访问权限以发布到 SNS 主题

 {
        "Sid": "Allow_Publish_Alarms",
        "Effect": "Allow",
        "Principal":
        {
            "Service": [
                "cloudwatch.amazonaws.com"
            ]
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname"
    }

选项 3 - 跨组织权限,我也更新了账户 B 中的 IAM 角色

 {
       "Sid": "CrossOrgPublish01",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
       },
       "Action": "SNS:Publish",
       "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
       "Condition": {
          "ArnLike": {
             "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
          }
       }
    }

标签: amazon-web-servicesamazon-cloudwatchamazon-sns

解决方案

选项 3 是正确的。但是,这不是 Acc B 中的 IAM 角色。它应该作为语句添加到 Acc A 的主题策略中

假设您在 Acc A 中有一个默认主题策略,添加新语句后,您将拥有:

ACC A 中的 SNS 主题策略

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "111111111111"
        }
      }
    },       
    {
       "Sid": "CrossOrgPublish01",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
       },
       "Action": "sns:Publish",
       "Resource": "arn:aws:sns:us-east-1:111111111111:alerttopicname",
       "Condition": {
          "ArnLike": {
             "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:222222222222:alarm:*"
          }
       }
    }

  ]
}

推荐阅读