您需要将这样的内联“访问”策略添加到 SQS 队列中:
{
"Version": "2012-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"SQS:SendMessage"
],
"Resource": "arn:aws:sqs:<region>:<account-id>:<queue-name>",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::<my-bucket-name>"
},
"StringEquals": {
"aws:SourceAccount": "bucket-owner-account-id"
}
}
}
]
}
Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html
注意:占位符如<region>
JSON 中的内容需要替换。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Amazon S3 to use this key",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:<region>:<account-id>:<key-alias>",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<account-id>"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::<bucket-name>"
}
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
您的队列还可以使用服务器端加密。在这种情况下,您还需要向客户 KMS 添加策略(必须是客户 KMS 密钥,默认 AWS 密钥将不起作用;请阅读为什么 Amazon S3 事件通知不传送到使用服务器端加密的 Amazon SQS 队列?)