未知錯誤,沒有消息,CF 模板在邏輯上不適用於我的自動 s3 存儲桶測試
[英]Unknown error, no message, CF template is just logically not working for my automatic s3 bucket testing
問題描述
我的模板是:
Resources:
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
AES256
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy),
Handler: index.lambda_handler
Role: 'arn:aws:iam::role'
Runtime: python3.7
EventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.s3
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- s3.amazonaws.com
eventName:
- CreateBucket
這成功創建了一個 lambda function 以及一個事件橋事件,我必須手動添加事件橋的觸發器,但是當我創建一個 s3 存儲桶時,沒有策略。 沒有錯誤參考供我查看,目前我找不到任何邏輯錯誤。 這是在我使用上面的模板創建的堆棧上。 有任何想法嗎?
1 個解決方案
解決方案1
1 已采納 2020-07-23 19:30:07
調查此問題的最佳方法是通過 CloudWatch。
首先在 Lambda 存在的區域中檢查您的 CloudWatch 日志。 這將識別 Lambda function 的任何問題,例如:
- IAM 缺少您角色的權限
- Python 解析錯誤(無效語法)
如果沒有日志,請檢查 CloudWatch 指標以確保正在調用 function。 如果不是,則事件不會觸發。
此外,要將 Lambda 作為觸發器自動添加,您需要將其作為 CloudWatch 事件規則的目標包含在模板中。
以下是您需要的大致模板。
Resources:
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
AES256
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy),
Handler: index.lambda_handler
Role: 'arn:aws:iam::role'
Runtime: python3.7
EventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.s3
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- s3.amazonaws.com
eventName:
- CreateBucket
Targets:
-
Arn: !GetAtt LambdaFunction.Arn
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn: !GetAtt EventRule.Arn
AWS Cloudformation 模板 - S3 存儲桶策略 - MalformedPolicy 錯誤
[英]AWS Cloudformation template - S3 bucket policy - MalformedPolicy error
我應該為我的文件使用 s3 存儲桶還是應該只使用我的 ec2 實例
[英]Should I use an s3 bucket for my files or should I just stick to my ec2 instance
使用依賴於存儲桶名稱的模板設置 S3 存儲桶策略時如何避免循環錯誤?
[英]How to avoid cycle error when setting an S3 bucket policy with a template that depends on the bucket name?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.