我配置了 ElastiCache Redis 复制组以将通知发送到 SNS 主题。 SNS 主题使用自定义 KMS 密钥加密。
但我没有收到任何通知。检查 Redis 设置,我看到通知设置为“非活动”。如果我尝试强制它处于活动状态,它会被放回非活动状态。我猜是因为 Elasticache 无法向该主题发送通知。
KMS 密钥具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Default",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
SNS 主题具有以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DefaultStatementID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sns:Subscribe",
"sns:SetTopicAttributes",
"sns:RemovePermission",
"sns:Publish",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:AddPermission"
],
"Resource": "arn:aws:sns:<region>:<account_id>:<topic_name>",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<account_id>"
}
}
},
{
"Sid": "elasticache-allow-publish",
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:<region>:<account_id>:<topic_name>"
}
]
}
当然,地区、账户ID和主题名称都是经过编辑的。
我错过了什么?