Incorrect S3 bucket policy is detected for bucket in Boto3
Question
I have been working on setting up CloudTrail for an IAM user using Boto but I have run into an error:
An error occurred (InsufficientS3BucketPolicyException) when calling the CreateTrail operation: Incorrect S3 bucket policy is detected for bucket: goodbucket
I am not sure what's wrong here. Saving the CloudTrail log is not a priority but I will need ResourceID, to delete resource later on using Lambda functions.
import boto3
import sys
import json
import time
iam = boto3.client('iam')
sts = boto3.client('sts')
ec2 = boto3.resource('ec2')
cloudtrail = boto3.client('cloudtrail')
response = iam.create_user(
UserName='GoodUser'
)
IDK = sts.get_caller_identity()
print(IDK['UserId'])
response = iam.create_group(
GroupName='GoodGroup'
)
response = iam.add_user_to_group(
GroupName='GoodGroup',
UserName='GoodUser'
)
some_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
f"arn:aws:ec2:us-east-2:{IDK['Account']}:instance/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:network-interface/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:key-pair/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:security-group/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:subnet/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:volume/*",
f"arn:aws:ec2:us-east-2:{IDK['Account']}:image/ami-0a91cd140a1fc148a"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": "10"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": f"arn:aws:ec2:us-east-2:{IDK['Account']}:instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-12-10T05:00:00Z"
},
"DateLessThanEquals": {
"aws:CurrentTime": "2020-12-10T05:35:00Z"
}
}
}
]
}
response = iam.create_policy(
PolicyName='GoodPolicy',
PolicyDocument=json.dumps(some_policy)
)
print(response)
IDK1 = iam.attach_group_policy(
GroupName='GoodGroup',
PolicyArn= f"arn:aws:iam::{IDK['Account']}:policy/GoodPolicy"
)
logs = cloudtrail.create_trail(
Name='GoodTrail',
S3BucketName='goodbucket',
)
print (logs)
1 answers
solution1
1 2020-12-17 11:05:39
You are configuring AWS CloudTrail to write log files to an Amazon S3 bucket. To do this, the S3 bucket requires a Bucket Policy that grants permission to the CloudTrail service to write to the bucket.
From Amazon S3 Bucket Policy for CloudTrail - AWS CloudTrail :
If you want to create or modify an Amazon S3 bucket to receive the log files for an organization trail, you must further modify the bucket policy.
To deliver log files to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket. CloudTrail automatically attaches the required permissions to a bucket when you create an Amazon S3 bucket as part of creating or updating a trail in the CloudTrail console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myBucketName"
},
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.