我正在努力使Cloudtrail上路,并希望设置Cloudtrail s3bucket。但该政策尚未完成。这是我的代码:
lbfgs这是我要使用的政策:
CloudtrailBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Description: Stores all Trails for this account
Properties:
AccessControl: BucketOwnerFullControl
BucketName: !Sub "${AWS::AccountId}-invoice-cloudtrail"
LifecycleConfiguration:
Rules:
- Id: GlacierRule
Prefix: glacier
Status: Enabled
ExpirationInDays: '365'
Transitions:
- TransitionInDays: '1'
StorageClass: Glacier
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: Name
Value: !Sub '${EnvironmentName} ${Project}-CloudtrailBucket'
VersioningConfiguration:
Status: Suspended
我真的不知道有什么问题。错误消息如下:
CloudtrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CloudtrailBucket
PolicyDocument:
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- s3:GetBucket*
Resource:
- !Sub "arn:aws:s3:::${AWS::AccountId}-invoice-cloudtrail/*"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:aws:s3:::${AWS::AccountId}-invoice-cloudtrail/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
答案 0 :(得分:0)
我认为您必须更改政策以符合以下条件:
CloudtrailBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref CloudtrailBucket
PolicyDocument:
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- s3:GetBucketAcl
Resource:
- !Sub "arn:aws:s3:::${AWS::AccountId}-invoice-cloudtrail"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:aws:s3:::${AWS::AccountId}-invoice-cloudtrail/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
原因是s3:GetBucket*扩展为s3:GetBucketAcl,s3:GetBucketCORS等(all here),所有这些都期望将存储桶作为资源,并且您提供了许多对象根据您原来的政策。
因此,我更改了资源(删除了/*),并且还清理了一些策略,因为CloudTrail只需要s3:GetBucketAcl。