使用CloudFormation模板将多个帐户中的CloudTrail日志整合到一个S3存储桶中。尝试在S3存储桶上设置权限,以便每个帐户都写入自己的文件夹。最后两个!加入线让我感到悲伤。
MasterAccNum:
Type: String
Description: 12 digit account number without dashes.
ProdAccNum:
Type: String
Description: 12 digit account number without dashes.
Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource:
- !Join ['', ['arn:aws:s3:::', !Ref 'LoggingS3Bucket', /AWSCloudTrailLogs/, !Ref 'AWS::AccountId', /*]]
- !Join ['', ['arn:aws:s3:::', !Ref 'LoggingS3Bucket', /AWSCloudTrailLogs/, !Ref 'MasterAccNum', /*]]
- !Join ['', ['arn:aws:s3:::', !Ref 'LoggingS3Bucket', /AWSCloudTrailLogs/, !Ref 'ProdAccNum', /*]]
我为MasterAccNum和ProdAccNum参数输入12位数的帐号,最终获得S3权限,如下所示:
"Resource": [
"arn:aws:s3:::mycompanyname-is-cloudtrail-logs/AWSCloudTrailLogs/012345678901/*",
"arn:aws:s3:::mycompanyname-is-cloudtrail-logs/AWSCloudTrailLogs//*",
"arn:aws:s3:::mycompanyname-is-cloudtrail-logs/AWSCloudTrailLogs//*"
最后两行缺少在堆栈启动期间输入的参数