3
我有一個SQS隊列使用有以下政策文檔。用於從桶中接收S3事件:如何編寫S3事件的加密SQS的策略聲明?
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
現在,我已啓用隊列的服務器端加密(SSE)。而且,我遵循this doc來編寫加密策略聲明。政策聲明現在看起來是這樣的:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
}
}
}
]
}
但現在,隊列不上文件的添加獲得從桶中的任何消息。 我有權限做了什麼錯嗎?
在試圖重現你的情況,我是* *無法對事件通知添加到加密的SQS隊列。它返回了內部錯誤消息。但是,我懷疑您從[SQS文檔](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html)複製的策略應該放在IAM用戶即發送消息,而不是在SQS隊列本身。 –
@JohnRotenstein是的。我的一個愚蠢的錯誤。沒有注意到S3事件不支持啓用SSE的隊列。現在自己回答:) – Dawny33