在CloudFormation

时间:2018-03-06 15:58:36

标签: amazon-web-services amazon-s3 amazon-cloudformation

我在通过Cloudformation实施CloudTrail时遇到问题,当我尝试启动模型时,检测到针对存储桶错误的S3存储桶策略不正确。

以下是BucketPolicy的配置:

"LogBucketPolicy": {
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "LogBucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "AWSCloudTrailAclCheck",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:GetBucketAcl",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    }
                                ]
                            ]
                        }
                    },
                    {
                        "Sid": "AWSCloudTrailWrite",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:PutObject",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    },
                                    "/AWSLogs/139339407673/*"
                                ]
                            ]
                        },
                        "Condition": {
                            "StringEquals": {
                                "s3:x-amz-acl": "bucket-owner-full-control"
                            }
                        }
                    }
                ]
            }
        }
    }

我已经从AWS示例中复制了模板,但是如果我在实现中犯了错误,请告诉我。

编辑:存储桶策略不会引发错误,而是由CloudTrail引发。以下是存储桶的配置:

"Trail": {
        "Type": "AWS::CloudTrail::Trail",
        "Properties": {
            "SnsTopicName": {
                "Fn::GetAtt": [
                    "Topic",
                    "TopicName"
                ]
            },
            "IsLogging": true,
            "S3BucketName": {
                "Ref": "LogBucket"
            }
        },
        "DependsOn": [
            "LogBucket"
        ]
    }

3 个答案:

答案 0 :(得分:0)

我修改了你的代码,它似乎对我有用。你能试试吗?

{
  "Parameters": {
    "LogBucket": {
      "Description": "Name Bucket.",
      "Type": "String"
    }
  },
  "Resources": {
    "LogBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
                "Ref": "LogBucket"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    }
                  ]
                ]
              }
            },
            {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    },
                    "/AWSLogs/139339407673/*"
                  ]
                ]
              },
              "Condition": {
                "StringEquals": {
                  "s3:x-amz-acl": "bucket-owner-full-control"
                }
              }
            }
          ]
        }
      }
    }
  }
}

答案 1 :(得分:0)

正如克里希纳所提到的,错误来自于我没有把BucketPolicy的依赖性这个事实。完成此操作后,部署堆栈时没有任何问题。

答案 2 :(得分:0)

除了已接受的答案中提到的依赖关系问题外,该错误还可能来自S3策略配置错误的不同情况。

例如,如果我们查看以下政策:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::myBucketName"
    },
    {
      "Sid": "AWSCloudTrailWrite20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"
      "Condition": { 
        "StringEquals": { 
          "s3:x-amz-acl": "bucket-owner-full-control" 
        }
      }
    }
  ]
}

看第二条语句的Resource块:

 "Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"

将错误的值传递给Resource块,例如错误的前缀(我的情况)或忘记"*"后缀(如上一种情况中提到的here错误

(*)摘自here的示例。

相关问题
最新问题