我正在努力创建一个 cloudtrail 路径,并使用 terraform 将所有内容记录到 s3 存储桶中。
这是代码
resource "aws_kms_key" "cloudtrail_kms_key" {
description = "KMS key for Cloudtrail S3 Bucket"
enable_key_rotation = true
}
resource "aws_kms_key_policy" "cloudtrail_kms_key_policy" {
key_id = aws_kms_key.cloudtrail_kms_key.id
policy = jsonencode({
Version = "2012-10-17",
Id = "test",
Statement : [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal =
{
AWS = "arn:aws:iam::${var.aws_account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
{
Sid = "Permitted KMS Key Services"
Effect = "Allow"
Principal = {
Service = ["cloudtrail.amazonaws.com"]
AWS = "arn:aws:iam::${var.aws_account_id}:root"
}
Action = ["kms:GenerateDataKey*", "kms:Decrypt"]
Resource = "*",
"Condition" : {
"StringEquals" : {
"aws:SourceArn" : "arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"
}
}
}
]
})
}
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "${var.bucket_name}-${var.aws_region}-${var.aws_account_id}-ls"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket_sse_configuration" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.cloudtrail_kms_key.arn
sse_algorithm = "aws:kms"
}
}
resource "aws_s3_bucket_ownership_controls" "cloudtrail_bucket_ownership_controls" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_versioning" "cloudtrail_bucket_versioning" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
versioning_configuration {
status = "Enabled"
}
}
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.cloudtrail_bucket.arn]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/prefix/AWSLogs/${var.aws_account_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
}
resource "aws_s3_bucket_policy" "cloudtrail_bucket_policy" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
}
resource "aws_cloudtrail" "trail" {
depends_on = [aws_s3_bucket_policy.cloudtrail_bucket_policy]
name = var.trail_name
s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
s3_key_prefix = "AWSLogs"
is_organization_trail = true
is_multi_region_trail = true
kms_key_id = aws_kms_key.cloudtrail_kms_key.arn
enable_log_file_validation = true
}
这是我的提供商配置
terraform {
required_version = "~> 1.3, < 1.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
这将创建以下资源
当我运行
terraform apply错误:创建CloudTrail Trail(审核日志):操作错误CloudTrail:CreateTrail,https响应错误StatusCode:400,RequestID:abdc7ed4-22c4-4462-9ff9-4f8bda32e509,api错误AccessDeniedException:访问被拒绝:您无权对此资源进行操作。
我用来部署此功能的角色具有管理员角色,因此我不确定创建 cloudtrail 时还缺少什么。任何帮助将不胜感激。谢谢你。
当需要创建组织跟踪时,需要在组织管理帐户中进行:
您必须使用与组织关联的管理帐户或委派管理员帐户登录才能创建组织跟踪。您还必须对管理帐户或委派管理员帐户中的用户或角色拥有足够的权限才能创建跟踪。如果您没有足够的权限,您将无法选择将跟踪应用于组织。
查看问题中的代码,设置一个参数来创建组织跟踪:
is_organization_trail = true
意味着您实际上正在创建一条组织路径。