创建S3存储桶策略时出错-属性PolicyDocument的值必须是一个对象

时间:2019-05-30 14:21:15

标签: amazon-web-services amazon-s3 yaml amazon-cloudformation aws-serverless

我正在尝试通过无服务器应用程序创建cloudTrail。

CloudTrail:
  Type: AWS::CloudTrail::Trail
  Properties: 
    # CloudWatchLogsLogGroupArn: "String"
    # CloudWatchLogsRoleArn: "String"
    # EnableLogFileValidation: True
    # EventSelectors: 
    #   - EventSelector
    # IncludeGlobalServiceEvents: True
    IsLogging: True
    # IsMultiRegionTrail: True
    # KMSKeyId: String
    S3BucketName: {"Ref" : "CloudTrailBucket"}
    # S3KeyPrefix: String
    # SnsTopicName: String
    # Tags: 
    #   - Tag
    # TrailName: String

首先,我尝试单独创建cloudTrail并收到以下错误

CloudTrail - Incorrect S3 bucket policy is detected for bucket: ....

然后我添加了此代码以创建策略

CloudTrailBucketPolicy: 
  # Version : 2012-10-17,
  Type:  AWS::S3::BucketPolicy
  Properties:
    PolicyDocument:
      - Action:
          - "s3:GetBucketAcl"
        Effect:  Allow
        Resource: { "Fn::Join": ["", ["arn:aws:s3:::CloudTrailBucket"] ] }
        Principal:  "*"
      - Action:
          - "s3:PutObject"
        Effect:  Allow
        Resource: { "Fn::Join": ["", ["arn:aws:s3:::CloudTrailBucket", "/*" ] ] }
        Principal:
          Service:  cloudtrail.amazonaws.com

但是出现此错误。

An error occurred: CloudTrailBucketPolicy - Value of property PolicyDocument must be an object.

1 个答案:

答案 0 :(得分:2)

您忘记了Statement

CloudTrailBucketPolicy: 
  # Version : 2012-10-17,
  Type:  AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref CloudTrailBucket
      PolicyDocument:
        Statement:
          - Action:
              - "s3:GetBucketAcl"
            Effect:  Allow
            Resource: { "Fn::Join": ["", ["arn:aws:s3:::", !Ref CloudTrailBucket] ] }
            Principal:  "*"
          - Action:
              - "s3:PutObject"
            Effect:  Allow
            Resource: { "Fn::Join": ["", ["arn:aws:s3:::", !Ref CloudTrailBucket, "/*" ] ] }
            Principal:
              Service:  cloudtrail.amazonaws.com