簡體   English   中英

CloudFormation CloudTrail S3 策略錯誤 - 檢測到存儲桶的 S3 存儲桶策略不正確

[英]CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket

提前致謝!

我整個周末都被困在這個問題上..我正在嘗試在 cloudformation 中創建一個 cloudtrail 服務,但在運行時收到此錯誤 - 檢測到存儲桶的 S3 存儲桶策略不正確:s3bucket-xxxxxx

這是我的代碼;

"s3bucket-xxxxxx": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
        "AccessControl": "Private",
        "VersioningConfiguration": {
            "Status": "Suspended"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"s3policytraillogs": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": {
            "Ref": "s3bucket-xxxxxx"
        },
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::s3bucket-xxxxxx"
                },
                {
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:PutObject",
                    "Resource":  "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
                    "Condition": {
                        "StringEquals": {
                            "s3:x-amz-acl": "bucket-owner-full-control"
                        }
                    }
                }
            ]
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"trailtraillogs": {
    "Type": "AWS::CloudTrail::Trail",
    "Properties": {
        "IncludeGlobalServiceEvents": true,
        "IsLogging": "true",
        "S3BucketName": {
            "Ref": "s3bucket-xxxxxx"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
}

要解決此問題,需要使用引用將資源連接到存儲桶

                    "Resource": [{
                      "Fn::Join": [ "", [
                          "arn:aws:s3:::", {
                            "Ref": "s3traillogs"
                          }, "/AWSLogs/XXXXXXXXXXX/*"
                        ]
                      ]
                    }],

提到的錯誤也可能是由於:

1) trail和bucket之間的依賴問題。

這可以通過從跟蹤中引用存儲桶來解決:

   "DependsOn": [
        "TheLogBucket"
    ]

2)桶策略配置錯誤。

例如,在第二條語句中: "Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
傳遞錯誤的前綴、帳戶 ID 或忘記"*"后綴。

3 ) YAML 文件中的錯誤縮進或錯位的引號。


(*) #1 和 #2 的問題也在這里提到。

(**) 請確保您遵循CloudTrail 路徑命名要求

根據資源定義,YAML 可能是這樣的:

  EventBucketStorage:
    Type: "AWS::S3::Bucket"
    Properties:
      #AccessControl: PublicRead
      MetricsConfigurations:
        - Id: EventBucketStorageMetrics
      BucketName: !Sub "s3-event-step-bucket-storage-s"

  EventBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref EventBucketStorage
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - 
            Sid: "AWSCloudTrailAclCheck20150319"
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage              
          - 
            Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage
                - /*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

您還可以檢查鏈接Start the execution of State Machine based on Amazon S3 Event

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM