InsufficientS3BucketPolicyException::检测到存储桶的 S3 存储桶策略不正确
问题描述 投票:0回答:1
我正在创建一个 Cloudtrail 跟踪和一个 S3 存储桶来存储我的所有日志。我的跟踪是组织级别跟踪和多区域跟踪。我正在从这些 AWS 文档 设置 S3 存储桶策略。我的 kms 密钥策略允许 cloudtrail
kms:GenerateDataKey*", "kms:DescribeKey", "kms:Decrypt resource "aws_kms_key" "cloudtrail_kms_key" {
description = "KMS key for Cloudtrail S3 Bucket"
enable_key_rotation = true
multi_region = true
}
resource "aws_kms_key_policy" "cloudtrail_kms_key_policy" {
key_id = aws_kms_key.cloudtrail_kms_key.key_id
policy = jsonencode({
Version = "2012-10-17",
Id = "cloudtrail-kms-key-policy",
Statement : [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::${var.aws_account_id}:root" }
Action = "kms:*"
Resource = "*"
},
{
Sid = "Permitted KMS Key Services"
Effect = "Allow"
Principal = {
Service = ["cloudtrail.amazonaws.com"]
}
Action = ["kms:GenerateDataKey*", "kms:DescribeKey", "kms:Decrypt"]
Resource = "*",
"Condition" : {
"StringEquals" : {
"aws:SourceArn" : "arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${var.aws_account_id}:trail/*"
}
}
}
]
})
}
resource "aws_cloudtrail" "trail" {
depends_on = [aws_s3_bucket_policy.cloudtrail_bucket_policy]
name = var.trail_name
s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
is_organization_trail = true
is_multi_region_trail = true
kms_key_id = aws_kms_key.cloudtrail_kms_key.arn
enable_log_file_validation = true
}
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "${var.bucket_name}"
}
resource "aws_s3_bucket_ownership_controls" "cloudtrail_bucket_ownership_controls" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
#Link to IAM policy : https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.cloudtrail_bucket.arn]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/prefix/AWSLogs/${var.aws_account_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
statement {
sid = "AllowOrganizationTrailToPutObjects"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/prefix/AWSLogs/${var.organization_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:aws:cloudtrail:${var.aws_region}:${var.aws_account_id}:trail/${var.trail_name}"]
}
}
}
resource "aws_s3_bucket_policy" "cloudtrail_bucket_policy" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
}
但是我一直遇到以下错误:
Error: creating CloudTrail Trail (org-logs): operation error CloudTrail: CreateTrail, https response error StatusCode: 400, RequestID: 42aed73c-100f-43cb-b094-cd5d615bde1e, InsufficientS3BucketPolicyException:
Incorrect S3 bucket policy is detected for bucket: cloudtrail-production-us-west-2-042518407502-ls (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException; Request ID: 422be9b4-75da-4a97-8012-a80b99a9942a; Proxy: null)
补充一点:我确实将其部署到委派管理员帐户,所以我知道这不是问题。
我做错了什么?
1个回答
0
投票
投票
首先我要说的是,我能够重现与您完全相同的错误:
InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket在我的测试中唯一的区别是我将
is_organization_trail我开始打破你的政策,也看看其他人做类似的事情,一个很好的例子:
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${aws_s3_bucket.success-1.bucket}/*",
所以我改变了你的第一个声明(
AWSCloudTrailWriteresources = ["${aws_s3_bucket.cloudtrail_bucket.arn}/*"]此后不再出现错误,并且在存储桶中创建了一个结构:
我测试的完整代码:
最新问题
- 使游戏对象在有限的时间内出现和消失
- 在 VBA 中选择选定单元格的列
- 制作透明径向渐变时遇到问题(JavaScript/HTML)
- Python 单元测试:函数补丁不会应用于在单独线程中运行的使用者
- 如何在不使用git的情况下查看git对象和索引
- 使用 Spim 将 MIPS asm 转换为十六进制
- R:read_html() + html_text() 的替代方案/方法也适用于没有 HTML/XML 标签的字符串
- “ReadableStream<Uint8Array>”类型上不存在属性“pipe”
- 在同一单元格多个跨度中查找最接近的输入
- 为我们的 Swift 包运行 SwiftLint 的简单方法
- 我需要帮助,我需要打印产品详细信息中的属性标题和属性值
- 使用 Selenium ChromeDriver 打开 chrome 选项卡到某个网址
- Power BI 中的 Mapbox 自定义样式未显示自定义边界
- 使用pyenv安装的python导入时找不到'_sqlite3'模块
- Angular 错误:1. 如果“mat-card-actions”是 Angular 组件,则验证它是否是该模块的一部分
- 如何在Python中使用SCH(schematron)和XSD验证XML?
- 如何在没有自定义反序列化器的情况下将 JSON 从同一 JSON 字典或数组反序列化为完全不同的类型?
- Android 前台服务中的定期 HTTP 请求
- 在我的 fastapi 应用程序中,当我的 SQLAlchemy 模型具有关系时,如何使异步 SQLAlchemy 与 Pydantic 良好配合?
- Flutter“serviceWorkerVersion”的局部变量已弃用
© www.soinside.com 2019 - 2024. All rights reserved.