我正在尝试通过无服务器应用程序创建cloudTrail。
CloudTrail:
Type: AWS::CloudTrail::Trail
Properties:
# CloudWatchLogsLogGroupArn: "String"
# CloudWatchLogsRoleArn: "String"
# EnableLogFileValidation: True
# EventSelectors:
# - EventSelector
# IncludeGlobalServiceEvents: True
IsLogging: True
# IsMultiRegionTrail: True
# KMSKeyId: String
S3BucketName: {"Ref" : "CloudTrailBucket"}
# S3KeyPrefix: String
# SnsTopicName: String
# Tags:
# - Tag
# TrailName: String
首先,我尝试单独创建cloudTrail并收到以下错误
CloudTrail - Incorrect S3 bucket policy is detected for bucket: ....
然后我添加了此代码以创建策略
CloudTrailBucketPolicy:
# Version : 2012-10-17,
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
- Action:
- "s3:GetBucketAcl"
Effect: Allow
Resource: { "Fn::Join": ["", ["arn:aws:s3:::CloudTrailBucket"] ] }
Principal: "*"
- Action:
- "s3:PutObject"
Effect: Allow
Resource: { "Fn::Join": ["", ["arn:aws:s3:::CloudTrailBucket", "/*" ] ] }
Principal:
Service: cloudtrail.amazonaws.com
但是出现此错误。
An error occurred: CloudTrailBucketPolicy - Value of property PolicyDocument must be an object.
答案 0 :(得分:2)
您忘记了Statement
:
CloudTrailBucketPolicy:
# Version : 2012-10-17,
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CloudTrailBucket
PolicyDocument:
Statement:
- Action:
- "s3:GetBucketAcl"
Effect: Allow
Resource: { "Fn::Join": ["", ["arn:aws:s3:::", !Ref CloudTrailBucket] ] }
Principal: "*"
- Action:
- "s3:PutObject"
Effect: Allow
Resource: { "Fn::Join": ["", ["arn:aws:s3:::", !Ref CloudTrailBucket, "/*" ] ] }
Principal:
Service: cloudtrail.amazonaws.com