amazon-web-services - 用户:ARN 无权执行:SNS:在资源上发布:ARN(AWS 集成错误)
问题描述
我正在尝试使用 AquaSec 监控 AWS 云环境。AquaSec 通过提供 CloudFormation 模板帮助您连接 AWS 环境,您可以在 AWS 环境中部署该模板。部署后,您可以在 AquaSec 中使用它的 ARN 来连接/集成两者。Aquasec 中的任何警报都将发送到 SNS 主题,该主题将进一步发送到 HTTPS 端点。
这是 CloudFormation 模板文件,
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Aqua CSPM security scanner cross-account role",
"Parameters": {
"ExternalId": {
"Type": "String",
"Description": "The external ID auto-generated from the Aqua Cloud dashboard. Do not change this value.",
"AllowedPattern": "[-a-z0-9]*",
"ConstraintDescription": "Must be lowercase or numbers, no spaces, dashes ok."
}
},
"Resources": {
"AquaCSPMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-api"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-collector"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-remediator"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::057012691312:role/lambda-cloudsploit-tasks"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
},
"IpAddress": {
"aws:SourceIp": "3.231.74.65/32"
}
}
}
]
},
"Policies": [
{
"PolicyName": "aqua-cspm-supplemental-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:DescribeActiveReceiptRuleSet",
"athena:GetWorkGroup",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"elastictranscoder:ListPipelines",
"elasticfilesystem:DescribeFileSystems",
"servicequotas:ListServiceQuotas",
"ssm:ListAssociations",
"dlm:GetLifecyclePolicies",
"airflow:ListEnvironments",
"glue:GetSecurityConfigurations",
"devops-guru:ListNotificationChannels"
],
"Resource": "*"
}
]
}
}
],
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/SecurityAudit"
]
}
}
},
"Outputs": {
"AquaCSPMeArn": {
"Description": "The role ARN of the cross-account user. Copy this into Aqua Cloud.",
"Value": {
"Fn::GetAtt": [
"AquaCSPMRole",
"Arn"
]
}
},
"StackVersion": {
"Description": "The Aqua CSPM stack version.",
"Value": "2.0"
}
}
}
我正在尝试设置一个Amazon SNS 主题,在 Aquasec 使用它的 ARN 来发送警报。一旦我创建了一个 SNS 主题,并在 Aquasec 复制它的 ARN,并尝试测试通知 - 我一直收到错误,
{“消息”:“用户:arn:aws:sts::057012691312:assumed-role/lambda-cloudsploit-api/cloudsploit-api 无权执行:SNS:在资源上发布:arn:aws:sns:us-东1:940386435759:Sample_Aqua_Integration,“代码”:“AuthorizationError”,“时间”:“2021-04-19T22:15:54.463Z”,“requestId”:“bc808944-3430-5683-aed1-d1bc376a70f5”, “状态代码”:403,“可重试”:假,“重试延迟”:50.2772842473471}
我已经尝试了几乎所有可能的方式 - 在 SNS 主题中更改主题策略(“原则”字段的各种组合),尝试授予特定 IAM 角色的权限。似乎没有任何效果,我得到了同样的错误。我觉得它必须对模板文件做些什么(在' assumeRole '配置中)?
关于如何以及如何更改/尝试的任何建议?谢谢
解决方案
推荐阅读
- python - 删除熊猫数据框列
- python - 我在哪里定义队列以及如何在代码中加载 BFS?
- mysql - 检索重复的最新记录的问题
- swift5 - 类型“NSNotification.Name”没有成员“UIResponder”
- julia - 具有邻接矩阵的Julia中的prim算法
- reactjs - 标记传单不会在反应组件中呈现_反应传单
- openam - 使用 OpenAM 时如何修复“找不到身份提供程序”错误?
- c# - MongoDB 的存储库模式 - 一个事务的多个工作单元
- sql-server - 如何找出过程中的参数在 SQL 中有 varchar
- android - 获取 java.lang.RuntimeException: 无法从绑定实现方法调用观察者方法