CloudFormation CloudTrail S3 策略错误 - 为存储桶检测到不正确的 S3 存储桶策略
CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket
提前致谢!
我整个周末都被困在这个问题上。我试图在 cloudformation 中创建一个 cloudtrail 服务,但在 运行 时收到此错误 - 检测到存储桶的 S3 存储桶策略不正确:s3bucket-xxxxxx
这是我的代码;
"s3bucket-xxxxxx": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"VersioningConfiguration": {
"Status": "Suspended"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"s3policytraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "s3bucket-xxxxxx"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"trailtraillogs": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IncludeGlobalServiceEvents": true,
"IsLogging": "true",
"S3BucketName": {
"Ref": "s3bucket-xxxxxx"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
}
要解决此问题,需要使用引用将资源加入存储桶
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "s3traillogs"
}, "/AWSLogs/XXXXXXXXXXX/*"
]
]
}],
根据资源定义,YAML 可能如下:
EventBucketStorage:
Type: "AWS::S3::Bucket"
Properties:
#AccessControl: PublicRead
MetricsConfigurations:
- Id: EventBucketStorageMetrics
BucketName: !Sub "s3-event-step-bucket-storage-s"
EventBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref EventBucketStorage
PolicyDocument:
Version: 2012-10-17
Statement:
-
Sid: "AWSCloudTrailAclCheck20150319"
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
-
Sid: AWSCloudTrailWrite20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
- /*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
您还可以查看 link Start the execution of State Machine based on Amazon S3 Event
提到的错误也可能是由于:
1 ) trail 和 bucket 之间的依赖问题。
这可以通过引用跟踪中的桶来解决:
"DependsOn": [
"TheLogBucket"
]
2 ) 存储桶策略配置错误。
例如,在第二个语句中:"Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
传递了错误的前缀、帐户 ID 或忘记了 "*" 后缀。
3 ) YAML 文件中的错误缩进或错误的引号。
(*)#1 和#2 的问题也提到了here。
(**) 请务必关注 CloudTrail Trail Naming Requirements.
提前致谢!
我整个周末都被困在这个问题上。我试图在 cloudformation 中创建一个 cloudtrail 服务,但在 运行 时收到此错误 - 检测到存储桶的 S3 存储桶策略不正确:s3bucket-xxxxxx
这是我的代码;
"s3bucket-xxxxxx": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"VersioningConfiguration": {
"Status": "Suspended"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"s3policytraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "s3bucket-xxxxxx"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"trailtraillogs": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IncludeGlobalServiceEvents": true,
"IsLogging": "true",
"S3BucketName": {
"Ref": "s3bucket-xxxxxx"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
}
要解决此问题,需要使用引用将资源加入存储桶
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "s3traillogs"
}, "/AWSLogs/XXXXXXXXXXX/*"
]
]
}],
根据资源定义,YAML 可能如下:
EventBucketStorage:
Type: "AWS::S3::Bucket"
Properties:
#AccessControl: PublicRead
MetricsConfigurations:
- Id: EventBucketStorageMetrics
BucketName: !Sub "s3-event-step-bucket-storage-s"
EventBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref EventBucketStorage
PolicyDocument:
Version: 2012-10-17
Statement:
-
Sid: "AWSCloudTrailAclCheck20150319"
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
-
Sid: AWSCloudTrailWrite20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
- /*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
您还可以查看 link Start the execution of State Machine based on Amazon S3 Event
提到的错误也可能是由于:
1 ) trail 和 bucket 之间的依赖问题。
这可以通过引用跟踪中的桶来解决:
"DependsOn": [
"TheLogBucket"
]
2 ) 存储桶策略配置错误。
例如,在第二个语句中:"Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
传递了错误的前缀、帐户 ID 或忘记了 "*" 后缀。
3 ) YAML 文件中的错误缩进或错误的引号。
(*)#1 和#2 的问题也提到了here。
(**) 请务必关注 CloudTrail Trail Naming Requirements.