我正在创建一个 Cloudtrail 跟踪和一个 S3 存储桶来存储我的所有日志。我的跟踪是组织级别跟踪和多区域跟踪。我正在从这些 AWS 文档 设置 S3 存储桶策略。我的 kms 密钥策略允许 cloudtrail
kms:GenerateDataKey*", "kms:DescribeKey", "kms:Decrypt
。
resource "aws_kms_key" "cloudtrail_kms_key" {
description = "KMS key for Cloudtrail S3 Bucket"
enable_key_rotation = true
multi_region = true
}
resource "aws_kms_key_policy" "cloudtrail_kms_key_policy" {
key_id = aws_kms_key.cloudtrail_kms_key.key_id
policy = jsonencode({
Version = "2012-10-17",
Id = "cloudtrail-kms-key-policy",
Statement : [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::${var.aws_account_id}:root" }
Action = "kms:*"
Resource = "*"
},
{
Sid = "Permitted KMS Key Services"
Effect = "Allow"
Principal = {
Service = ["cloudtrail.amazonaws.com"]
}
Action = ["kms:GenerateDataKey*", "kms:DescribeKey", "kms:Decrypt"]
Resource = "*",
"Condition" : {
"StringEquals" : {
"aws:SourceArn" : "arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${var.aws_account_id}:trail/*"
}
}
}
]
})
}
resource "aws_cloudtrail" "trail" {
depends_on = [aws_s3_bucket_policy.cloudtrail_bucket_policy]
name = var.trail_name
s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
is_organization_trail = true
is_multi_region_trail = true
kms_key_id = aws_kms_key.cloudtrail_kms_key.arn
enable_log_file_validation = true
}
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "${var.bucket_name}"
}
resource "aws_s3_bucket_ownership_controls" "cloudtrail_bucket_ownership_controls" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
#Link to IAM policy : https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.cloudtrail_bucket.arn]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/prefix/AWSLogs/${var.aws_account_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
statement {
sid = "AllowOrganizationTrailToPutObjects"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/prefix/AWSLogs/${var.organization_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
}
resource "aws_s3_bucket_policy" "cloudtrail_bucket_policy" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
}
但是我一直遇到以下错误:
Error: creating CloudTrail Trail (org-logs): operation error CloudTrail: CreateTrail, https response error StatusCode: 400, RequestID: 42aed73c-100f-43cb-b094-cd5d615bde1e, InsufficientS3BucketPolicyException:
Incorrect S3 bucket policy is detected for bucket: cloudtrail-production-us-west-2-042518407502-ls (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException; Request ID: 422be9b4-75da-4a97-8012-a80b99a9942a; Proxy: null)
补充一点:我确实将其部署到委派管理员帐户,所以我知道这不是问题。
我做错了什么?
首先我要说的是,我能够重现与您完全相同的错误:
InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket
在我的测试中唯一的区别是我将
is_organization_trail
设置为 false...
我开始打破你的政策,也看看其他人做类似的事情,一个很好的例子:
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${aws_s3_bucket.success-1.bucket}/*",
所以我改变了你的第一个声明(
AWSCloudTrailWrite
)以匹配:
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/*"]
我测试的完整代码: