【发布时间】:2021-06-28 03:35:17
【问题描述】:
我正在为各种帐户使用以下存储桶策略将日志推送到位于“ACCOUNT-ID-0”中的集中式 S3 存储桶中:
我在 ACCOUNT-ID-0 中有此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/vpc-flow-logs/AWSLogs/{ACCOUNT-ID-01}/*",
"arn:aws:s3:::BUCKET-NAME/cloudtrail/AWSLogs/{ACCOUNT-ID-02}/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET-NAME"
}
]
}我想获取位于“arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/abc.yaml”中的文件
我正在尝试使用模板文件 abc.yaml 部署一致性包。 我正在从 ACCOUNT-ID-03 运行 aws cli 命令并收到此错误: 调用 PutOrganizationConformancePack 操作时发生错误 (InsufficientPermissionsException):S3 URI 读取权限不足
有人可以帮我解决存储桶政策吗?
【问题讨论】:
-
所以您想允许从
ACCOUNT-ID-03对ACCOUNT-ID-0中的存储桶进行读取访问? -
是的,对于 s3 中的特定文件夹也是如此:BUCKET-NAME/awsconfigconforms-rules
标签: terraform terraform-provider-aws terraform0.12+ terraform-modules