只需添加 KmsMasterKeyId
MyTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: MyTopic
KmsMasterKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
来源:AWS Cloudformation document
,
如上述答案所建议,您将需要在SNS主题定义中引用KMS密钥。您可以为SNS使用默认的KMS密钥(别名aws/sns
),也可以创建自己的
您可以在下面的CloudFormation中查看如何在同一模板中使用自己的KMS密钥创建加密主题和KMS密钥。密钥策略设置为允许通过整个AWS账户进行管理和使用,尽管您可能希望使用最低特权原则将其锁定,具体取决于您所处环境的安全要求。
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Demo template for Encrypted SNS Topic
Resources:
SNSKMSKey:
Type: 'AWS::KMS::Key'
Properties:
Description: Demo KMS Key Policy
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Id: KmsKeyPolicy
Statement:
- Sid: SimpleKeyPolicyAllowAccountAdmin
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:*'
Resource: '*'
- Sid: SimpleKeyPolicyAllowAccountUsage
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- 'kms:Decrypt'
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: '*'
SNSKmeKeyAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: !Sub "alias/${AWS::StackName}-SNSEncryptionKey"
TargetKeyId: !Ref SNSKMSKey
# -- Encrypted SNS Topic -- #
EncryptedSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub "${AWS::StackName}-EncryptedSNSTopic"
KmsMasterKeyId: !Ref SNSKMSKey
Outputs:
KmsKeyId:
Value: !Ref SNSKMSKey
TopicArn:
Value: !Ref EncryptedSNSTopic
,
如果您正在寻找带有默认KMS的简单SNS主题,则语法如下。我还添加了电子邮件订阅。您可以根据需要更改订阅:
RedshiftNotificationTopicSNS:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: alias/aws/sns
Subscription:
- Endpoint: !Ref NotificationEmailId
Protocol: email
本文链接:https://www.f2er.com/3120892.html