1. 首页
  2. 问答
  3. 允许CloudWatch警报发送到其他帐户中的SNS

允许CloudWatch警报发送到其他帐户中的SNS

2017-05-25 94 views
2

我在帐户“A”中有一个SNS主题,该帐户是同一帐户中Lambda功能的触发器。此Lambda函数将消息发送到专用Slack通道。允许CloudWatch警报发送到其他帐户中的SNS

只要CloudWatch警报在同一个帐户(帐户A)中,此方法就可以正常工作。

但我也想从“帐户B”做到这一点,但我得到:

{ 
    "error": "Resource: arn:aws:cloudwatch:REGION:ACCOUNT_B:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "actionState": "Failed", 
    "notificationResource": "arn:aws:sns:REGION:ACCOUNT_A:TOPIC", 
    "stateUpdateTimestamp": 1495732611020, 
    "publishedMessage": null 
}

那么,如何让CloudWatch的警报ARN访问发布的话题?与

尝试添加的政策失败:

Invalid parameter: Policy Error: PrincipalNotFound (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 7f5c202e-4784-5386-8dc5-718f5cc55725)

我看到别人有/有同样的问题(年前!)在https://forums.aws.amazon.com/thread.jspa?threadID=143607,但它从来没有回答。

更新:

试图解决这个问题,我现在正在尝试使用本地SNS的主题,然后将其发送至删除帐户。不过,我仍然得到:

"error": "Resource: arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:ALARM is not authorized to perform: SNS:Publish on resource: arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC"

这,这个SNS政策:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "AllowLambdaAccountToSubscribe", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root" 
     }, 
     "Action": [ 
     "sns:Subscribe", 
     "sns:Receive" 
     ], 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 
    }, 
    { 
     "Sid": "AllowLocalAccountToPublish", 
     "Effect": "Allow", 
     "Principal": "*", 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "StringEquals": { 
      "AWS:SourceAccount": "LOCAL_ACCOUNT" 
     } 
     } 
    } 
    ] 
}

如果我手动将消息发送到与话题发表主题,我可以看到,它会达到Lambda函数,因此除了CloudWatch访问权限之外的所有内容。

来源

2017-05-25 Fransurbo

回答

2

通过反复试验,我发现它是条件没有工作。因为某些原因。不知道为什么它没有看到源帐户...

更广泛的政策,使工作:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "AllowLambdaAccountToSubscribe", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::REMOTE_ACCOUNT:root" 
     }, 
     "Action": [ 
     "sns:Subscribe", 
     "sns:Receive" 
     ], 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC" 
    }, 
    { 
     "Sid": "AllowLocalAccountToPublish", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "StringEquals": { 
      "AWS:SourceAccount": "LOCAL_ACCOUNT" 
     } 
     } 
    }, 
    { 
     "Sid": "AllowCloudWatchAlarmsToPublish", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "sns:Publish", 
     "Resource": "arn:aws:sns:REGION:LOCAL_ACCOUNT:TOPIC", 
     "Condition": { 
     "ArnLike": { 
      "AWS:SourceArn": "arn:aws:cloudwatch:REGION:LOCAL_ACCOUNT:alarm:*" 
     } 
     } 
    } 
    ] 
}

来源

2017-05-26 15:10:45 Fransurbo

相关问题

 相关问题