Question

尝试使用云形成脚本创建SNS主题。除主题政策外，一切正常。

这是我们默认获得的，

我想使用云编队脚本更新以下政策。

有关如何实现这一目标的任何建议吗？

Answer 1

我认为您需要AWS :: SNS :: TopicPolicy资源。查看此链接AWS::SNS::TopicPolicy

Answer 2

您可以使用此方法-我已删除了锁定自己帐户的默认条件

SNSAccessPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
     PolicyDocument:
       Id: <Yourtopic>
       Statement:
         -
           Action: 
            - "sns:Publish"
            - "SNS:GetTopicAttributes"
            - "SNS:SetTopicAttributes"
            - "SNS:AddPermission"
            - "SNS:RemovePermission"
            - "SNS:DeleteTopic"
            - "SNS:Subscribe"
            - "SNS:ListSubscriptionsByTopic"
            - "SNS:Publish"
            - "SNS:Receive"
           Effect: Allow
           Principal:
             AWS: "*"
           Resource:
             Ref: <Yourtopic>
     Topics:
       -
         Ref: <Yourtopic>

Answer 3

正如其中一条评论所指出的，您不想使用 AWS:* 作为委托人，因为它授予任何拥有 AWS 帐户访问权限的人。

要创建 SNS 主题并限制对某些服务或帐户中任何人的访问，请使用以下示例。

“AllowServices”SID 显示如何添加多个服务，而 AllowAWS 允许帐户中的任何内容访问它。

---
AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  Email:
    Type: String
    Default: <your name here>

Resources:
  Topic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: TestTopic
      Subscription:
      - Endpoint: !Ref Email
        Protocol: email

  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Statement:
          - Sid: AllowServices
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
                - cloudwatch.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              - !Ref Topic
          - Sid: AllowAWS
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: 'sns:Publish'
            Resource:
              - !Ref Topic
      Topics:
        - !Ref Topic

AWS SNS主题政策Cloudformation

3 个答案: