Estou usando o CloudCheckr.com e seguindo as recomendações para ativar o AWS Config nas regiões em que atualmente não temos atividade.
O ideal é configurar cada região para usar o mesmo bucket do S3 e o tópico do SNS da região padrão (já que ela já está configurada), mas estou recebendo erros como:
Last AWS Error Message: User: arn:aws:sts::XXXXXXX:assumed-role/config-role/AWSConfig-Delivery is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:XXXXXXX:assumed:config-topic (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; ...
Eu tentei configurar o usuário do IAM config-role com a seguinte política:
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Put*",
"directconnect:Describe*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"opsworks:Describe*",
"opsworks:Get*",
"route53:Get*",
"route53:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:Get*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:List*",
"storagegateway:Describe*",
"trustedadvisor:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::config-bucket-XXXXXXXXXXXX/AWSLogs/XXXXXXXXXXXX/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}, {
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::config-bucket-XXXXXXXXXXXX"
}, {
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
}]
}
mas isso não parece conceder a permissão correta. Eu continuo recebendo:
The provided SNS topic ARN is invalid.
mesmo sabendo que é o ARN certo para o tópico existente.
Aqui estão as permissões para esse SNS ARN:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:ListSubscriptionsByTopic",
"SNS:Subscribe",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Publish",
"SNS:RemovePermission",
"SNS:AddPermission",
"SNS:Receive",
"SNS:SetTopicAttributes"
],
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "XXXXXXXXXXXX"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:root"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:config-topic"
}
]
}
Alguém já fez isso antes?
Melhor ainda, alguém tem um script que talvez configure uma região do cli?