CloudFormation CloudTrail S3 策略错误 - 检测到存储桶的 S3 存储桶策略不正确

【问题标题】:CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucketCloudFormation CloudTrail S3 策略错误 - 检测到存储桶的 S3 存储桶策略不正确
【发布时间】:2017-10-14 06:30:22
【问题描述】:

提前致谢!

我整个周末都被困在这个问题上。我正在尝试在 cloudformation 中创建 cloudtrail 服务,但运行时收到此错误 - 检测到存储桶的 S3 存储桶策略不正确:s3bucket-xxxxxx

这是我的代码; 

"s3bucket-xxxxxx": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
        "AccessControl": "Private",
        "VersioningConfiguration": {
            "Status": "Suspended"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"s3policytraillogs": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": {
            "Ref": "s3bucket-xxxxxx"
        },
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::s3bucket-xxxxxx"
                },
                {
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:PutObject",
                    "Resource":  "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
                    "Condition": {
                        "StringEquals": {
                            "s3:x-amz-acl": "bucket-owner-full-control"
                        }
                    }
                }
            ]
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"trailtraillogs": {
    "Type": "AWS::CloudTrail::Trail",
    "Properties": {
        "IncludeGlobalServiceEvents": true,
        "IsLogging": "true",
        "S3BucketName": {
            "Ref": "s3bucket-xxxxxx"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
}

【问题讨论】:

  • "VersioningConfiguration": { "Status": "Suspended" } 的预期用途是什么?似乎不可能创建一个暂停版本控制的存储桶。
  • 嗨,Michael,感谢您回复我,这只是 cloudformer 生成的东西,需要不同的值吗?
  • 我只是凭直觉操作,那里。存储桶上的版本控制只能在第一次启用后暂停——我想。但实际上,错误是关于政策的,所以我可能误导了你。我将更仔细地检查政策部分。
  • 我想知道您是否不需要像第二个语句中的 "Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "s3bucket-xxxxxx" }, "/AWSLogs/XXXXXXXX/*" ] 和类似但在第一个语句中没有最终字符串的东西来构建您的 ARN。恐怕我真的没有看到问题,否则。
  • 感谢您的帮助迈克尔!

标签: amazon-web-services amazon-s3 amazon-cloudformation amazon-cloudtrail


【解决方案1】:

要解决此问题,需要使用引用将资源加入存储桶

                    "Resource": [{
                      "Fn::Join": [ "", [
                          "arn:aws:s3:::", {
                            "Ref": "s3traillogs"
                          }, "/AWSLogs/XXXXXXXXXXX/*"
                        ]
                      ]
                    }],

【讨论】:

    【解决方案2】:

    根据资源定义,YAML 可能如下:

      EventBucketStorage:
    Type: "AWS::S3::Bucket"
    Properties:
      #AccessControl: PublicRead
      MetricsConfigurations:
        - Id: EventBucketStorageMetrics
      BucketName: !Sub "s3-event-step-bucket-storage-s"

  EventBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref EventBucketStorage
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - 
            Sid: "AWSCloudTrailAclCheck20150319"
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage              
          - 
            Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage
                - /*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

    您也可以查看链接Start the execution of State Machine based on Amazon S3 Event

    【讨论】:

      【解决方案3】:

      上述错误也可能是由于:

      1) trail 和 bucket 之间的依赖问题。

      这可以通过引用路径中的存储桶来解决:

         "DependsOn": [
        "TheLogBucket"
    ]

      2) 存储桶策略配置错误。

      例如,在第二条语句中:"Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
      传递错误的前缀、帐户 ID 或忘记 "*" 后缀。

      3 ) YAML 文件中的缩进错误或引号错误。

      (*) #1 和 #2 的问题也提到了here

      (**) 请务必关注CloudTrail Trail Naming Requirements

      【讨论】:

        猜你喜欢
        • 2018-08-14
        • 2021-03-28
        • 1970-01-01
        • 2015-03-14
        • 2011-09-10
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2023-02-26
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode