[英]Incorrect S3 bucket policy is detected for bucket in CloudFormation
[英]CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket
提前致謝!
我整個周末都被困在這個問題上..我正在嘗試在 cloudformation 中創建一個 cloudtrail 服務,但在運行時收到此錯誤 - 檢測到存儲桶的 S3 存儲桶策略不正確:s3bucket-xxxxxx
這是我的代碼;
"s3bucket-xxxxxx": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"VersioningConfiguration": {
"Status": "Suspended"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"s3policytraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "s3bucket-xxxxxx"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"trailtraillogs": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IncludeGlobalServiceEvents": true,
"IsLogging": "true",
"S3BucketName": {
"Ref": "s3bucket-xxxxxx"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
}
要解決此問題,需要使用引用將資源連接到存儲桶
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "s3traillogs"
}, "/AWSLogs/XXXXXXXXXXX/*"
]
]
}],
提到的錯誤也可能是由於:
1) trail和bucket之間的依賴問題。
這可以通過從跟蹤中引用存儲桶來解決:
"DependsOn": [
"TheLogBucket"
]
2)桶策略配置錯誤。
例如,在第二條語句中: "Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
傳遞錯誤的前綴、帳戶 ID 或忘記"*"
后綴。
3 ) YAML 文件中的錯誤縮進或錯位的引號。
(*) #1 和 #2 的問題也在這里提到。
(**) 請確保您遵循CloudTrail 路徑命名要求。
根據資源定義,YAML 可能是這樣的:
EventBucketStorage:
Type: "AWS::S3::Bucket"
Properties:
#AccessControl: PublicRead
MetricsConfigurations:
- Id: EventBucketStorageMetrics
BucketName: !Sub "s3-event-step-bucket-storage-s"
EventBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref EventBucketStorage
PolicyDocument:
Version: 2012-10-17
Statement:
-
Sid: "AWSCloudTrailAclCheck20150319"
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
-
Sid: AWSCloudTrailWrite20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
- /*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
您還可以檢查鏈接Start the execution of State Machine based on Amazon S3 Event
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.