通过 cloudformation 在 s3 存储桶上启用对象日志记录
Enable object logging on s3 bucket via cloudformation
在 AWS S3 中,您可以访问控制台并将 'Object-level logging' 添加到存储桶。您创建或 select 一个预先存在的跟踪和 select 读取和写入日志类型。
现在我正在通过 Yaml CloudFormation 创建存储桶,并想向其中添加一个预先存在的跟踪(或创建一个新跟踪)。我怎么做?我找不到任何示例。
使用 CloudTrail 对 S3 存储桶进行对象记录是通过在 CloudTrail 中为数据事件定义所谓的事件选择器来完成的。这也可以通过 CloudFormation 获得。以下 CloudFormation 模板展示了这是如何完成的。重要的部分在下半部分(上半部分只是用于设置CloudTrail可以登录的S3存储桶):
AWSTemplateFormatVersion: "2010-09-09"
Resources:
s3BucketForTrailData:
Type: "AWS::S3::Bucket"
trailBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref s3BucketForTrailData
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}"
- Effect: Allow
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"
s3BucketToBeLogged:
Type: "AWS::S3::Bucket"
cloudTrailTrail:
Type: "AWS::CloudTrail::Trail"
DependsOn:
- trailBucketPolicy
Properties:
IsLogging: true
S3BucketName: !Ref s3BucketForTrailData
EventSelectors:
- DataResources:
- Type: "AWS::S3::Object"
Values:
- "arn:aws:s3:::" # log data events for all S3 buckets
- !Sub "${s3BucketToBeLogged.Arn}/" # log data events for the S3 bucket defined above
IncludeManagementEvents: true
ReadWriteType: All
有关详细信息,请查看 CloudFormation documentation for CloudTrail event selectors。
虽然只是一样,但我就是这样做的。
cloudtrail:
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: Yes
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::s3-event-step-bucket/
IncludeManagementEvents: Yes
ReadWriteType: All
IncludeGlobalServiceEvents: Yes
IsLogging: Yes
IsMultiRegionTrail: Yes
S3BucketName: s3-event-step-bucket-storage
TrailName: xyz
在 AWS S3 中,您可以访问控制台并将 'Object-level logging' 添加到存储桶。您创建或 select 一个预先存在的跟踪和 select 读取和写入日志类型。
现在我正在通过 Yaml CloudFormation 创建存储桶,并想向其中添加一个预先存在的跟踪(或创建一个新跟踪)。我怎么做?我找不到任何示例。
使用 CloudTrail 对 S3 存储桶进行对象记录是通过在 CloudTrail 中为数据事件定义所谓的事件选择器来完成的。这也可以通过 CloudFormation 获得。以下 CloudFormation 模板展示了这是如何完成的。重要的部分在下半部分(上半部分只是用于设置CloudTrail可以登录的S3存储桶):
AWSTemplateFormatVersion: "2010-09-09"
Resources:
s3BucketForTrailData:
Type: "AWS::S3::Bucket"
trailBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref s3BucketForTrailData
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}"
- Effect: Allow
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"
s3BucketToBeLogged:
Type: "AWS::S3::Bucket"
cloudTrailTrail:
Type: "AWS::CloudTrail::Trail"
DependsOn:
- trailBucketPolicy
Properties:
IsLogging: true
S3BucketName: !Ref s3BucketForTrailData
EventSelectors:
- DataResources:
- Type: "AWS::S3::Object"
Values:
- "arn:aws:s3:::" # log data events for all S3 buckets
- !Sub "${s3BucketToBeLogged.Arn}/" # log data events for the S3 bucket defined above
IncludeManagementEvents: true
ReadWriteType: All
有关详细信息,请查看 CloudFormation documentation for CloudTrail event selectors。
虽然只是一样,但我就是这样做的。
cloudtrail:
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: Yes
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::s3-event-step-bucket/
IncludeManagementEvents: Yes
ReadWriteType: All
IncludeGlobalServiceEvents: Yes
IsLogging: Yes
IsMultiRegionTrail: Yes
S3BucketName: s3-event-step-bucket-storage
TrailName: xyz