为什么在使用加密的 SNS 主题时收不到 AWS RDS 事件通知？

发布于 2025-01-11 10:56:48 字数 807 浏览 2 评论 0原文

我已通过 RDS 事件订阅设置了快照事件警报，以使用 SNS 主题（通过电子邮件订阅）。一切工作正常，直到我使用 KMS 密钥加密主题（SSE）。我尝试过“默认”密钥，然后尝试了 CMK。对于 CMK，我使用了将服务主体指定为 rds.amazonaws.com 的密钥策略，但没有成功。我也尝试添加 sns.amazonaws.com 。最后我想出了最允许的关键政策（如下），但再次没有成功。

{
            "Sid": "Allow access for Key User (SNS Service Principal)",
            "Effect": "Allow",
            "Principal": {
                "Service": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
}

我发现这个领域（加密 SNS）的记录很少，而且我还没有找到关于加密 SNS 支持哪些服务、哪些不支持的明确规范。我得到的最接近的是这个（RDS未列出）：

https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/

我将不胜感激。

原文

I've set up alerts for snapshot events with RDS Event subscription to use SNS topic ( with email subscription ). Everything worked fine until I've encrypted the topic (SSE) with KMS key.
I've tried "default" key and then I've tried CMK. For CMK I've used Key policy specifying service principal as rds.amazonaws.com with no success. I've also tried adding sns.amazonaws.com as well. Finally I came up with most permitting key policy ( below ) and again with no success.

{
            "Sid": "Allow access for Key User (SNS Service Principal)",
            "Effect": "Allow",
            "Principal": {
                "Service": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
}

I found this area (encrypted SNS) poorly documented and I haven't found clear specifications on which services are supported by encrypted SNS and which are not.
Closest I got is this ( RDS is not listed ):

https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/

I would appreciate any help on this.

分享到QQ

分享到微博