CloudFormation存储桶策略 - 缺少必填字段"效果"

时间:2018-06-11 07:34:45

标签: json amazon-web-services amazon-cloudformation amazon-cloudtrail

我有以下代码,我尝试部署到CloudFormation。 出于某种原因,它坚持认为我错过了模板中的关键元素。

因为我在资源S3NotificationBucketPolicy中修改了存储桶策略,所以我才开始收到此错误。

任何见解都会很棒。

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
    "S3NotificationBucketPolicy": {
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "S3NotificationBucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Sid": "AWSCloudTrailAclCheck20150318",
                        "Action": "s3:GetBucketAcl",
                        "Effect": "Allow",
                        "Resource": {
                            "Fn::Join": ["",
                            ["arn:aws:s3:::",
                            {
                                "Ref": "S3NotificationBucket"
                            }]]
                        },
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        }
                    },
                    {
                        "Sid": "AWSCloudTrailWrite20150318",
                        "Action": "s3:PutObject",
                        "Effect": "Allow",
                        "Resource": {
                            "Fn::Join": ["",
                            ["arn:aws:s3:::",
                            {
                                "Ref": "S3NotificationBucket"
                            },
                            "/*"]]
                        },
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Condition": {
                            "StringEquals": {
                                "s3:x-amz-acl": "bucket-owner-full-control"
                            }
                        }
                    }]
                }]
            }
        }
    },
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Delete",
        "Properties": {

        }
    },
    "S3NotificationBucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Delete",
        "Properties": {

        }
    },
    "S3BucketPolicyForCloudTrail": {
        "DependsOn": "S3Bucket",
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "S3Bucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:GetBucketAcl",
                    "Resource": {
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        }]]
                    }
                },
                {
                    "Sid": "Permissions fot Cloudtrail",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:*",
                    "Resource": {
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        },
                        "/*"]]
                    }
                }]
            }
        }
    },
    "CloudTrailForS3": {
        "DependsOn": ["S3NotificationBucketPolicy",
        "S3BucketPolicyForCloudTrail"],
        "Type": "AWS::CloudTrail::Trail",
        "Properties": {
            "EventSelectors": [{
                "DataResources": [{
                    "Type": "AWS::S3::Object",
                    "Values": [{
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        },
                        "/*"]]
                    }]
                }],
                "ReadWriteType": "All",
                "IncludeManagementEvents": false
            }],
            "S3BucketName": {
                "Ref": "S3NotificationBucket"
            },
            "IsLogging": true,
            "IncludeGlobalServiceEvents": true
        }
    }
  }
}

即使我已经说明了所需的元素,它也会失败并显示以下消息。

  

缺少必填字段效果(服务:Amazon S3;状态代码:400;错误    代码:MalformedPolicy;请求ID:B44FBDB00CA6AFDD; S3扩展请求ID:    jglPqCY9LCEOvIz5v7d2vyFbeaaelNVgahs7nGtYg5NJR20FRfef4m0lgtzqZEMyltI7d9T1g4s =)`

1 个答案:

答案 0 :(得分:0)

您的问题是S3NotificationBucketPolicy政策文件有额外的VersionStatement

"S3NotificationBucketPolicy": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": {
            "Ref": "S3NotificationBucket"
        },
        "PolicyDocument": {
            "Version": "2012-10-17",      <-- Here
            "Statement": [{
                "Version": "2012-10-17",  <-- And here
                "Statement": [{
                    "Sid": "AWSCloudTrailAclCheck20150318",

删除其中一个(以及匹配的右括号),你就可以了。