由于以下S3存储桶策略,我的Cloudformation堆栈失败并继续回滚。引用的S3存储桶是一个用于CloudTrail日志的独立存储桶(因为我读到这样的事情是使用CloudTrail时的最佳做法)。在cloudFormation过程中,存储桶与堆栈的其余部分一起创建:[stackname] -cloudtraillogs- [randomstring]
我尝试不使用任何函数来指定存储桶,但这似乎不起作用。我的猜测是因为它然后寻找一个桶“cloudtraillogs”,找不到任何具有该名称的桶。使用带参考的Fn :: Join可能会解决(?),但是在评估存储桶策略时,CloudFormation会给出“未知字段Fn :: Join”。
任何可以在这里发现我可能做错的人?
Bucketpolicy
{
"Resources": {
"policycloudtraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "cloudtraillogs"
},
"PolicyDocument": {
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20160224",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "cloudtraillogs"
},
"/*"
]
]
},
{
"Sid": "AWSCloudTrailWrite20160224",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "cloudtraillogs"
},
"/AWSLogs/myAccountID/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
}
}
}
答案 0 :(得分:0)
您的模板似乎不是有效的JSON。您的第一个政策声明(AWSCloudTrailAclCheck20160224)缺少其}对象的结束括号Resource。