我想制作cloudformation和S3,然后将日志放入S3。
所以我的代码如下
const bk = new s3.Bucket(this, `cm-st-cloudfront-bk`, {
bucketName: s3_name,
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
//
encryption: s3.BucketEncryption.S3_MANAGED,
versioned:true,
});
const oai = new cloudfront.OriginAccessIdentity(this, `my-oai`,{
comment:`Access identity for ${targetEnv}`
});
const cf = new cloudfront.CloudFrontWebDistribution(this, `Website-${targetEnv}-Distribution`, {
comment:`CF for resource S3 ${targetEnv}`,
viewerCertificate: {
aliases: [],
props: {
cloudFrontDefaultCertificate: true,
},
},
errorConfigurations: [
{
errorCode: 403,
responsePagePath: "/index.html",
responseCode: 200,
errorCachingMinTtl: 0,
},
{
errorCode: 404,
responsePagePath: "/index.html",
responseCode: 200,
errorCachingMinTtl: 0,
},
],
loggingConfig: {
bucket: bk,
prefix: "cloudfront/",
},
});
在这个设置下,就会出现这个错误。
Bucket cannot have public ACLs set with BlockPublicAccess enabled
所以我改变了
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
到
//blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
然而同样的情况也会发生。
Bucket cannot have public ACLs set with BlockPublicAccess enabled
我该如何解决这个问题,我想知道cloudfront是否无法在
Block public access
打开的情况下将日志放入S3?
这是因为 CloudFront 需要对 S3 存储桶的写入权限才能存储访问日志。
您可以将 S3 存储桶策略配置为仅允许来自 CloudFront 日志记录服务主体的写入访问。您可以修改 S3 存储桶定义以允许 CloudFront 写入日志,同时仍阻止公共访问:
// Allow CloudFront logging service principal to write access logs to the bucket
bk.addToResourcePolicy(new iam.PolicyStatement({
actions: ['s3:PutObject'],
effect: iam.Effect.ALLOW,
resources: [bk.arnForObjects('*')],
principals: [new iam.ServicePrincipal('delivery.logs.amazonaws.com')],
}));