Amazon web services 是否通过cloudFormation模板启用日志记录S3？_Amazon Web Services_Amazon S3_Amazon Cloudformation_Amazon Iam

Amazon web services 是否通过cloudFormation模板启用日志记录S3？

amazon-web-services amazon-s3 amazon-cloudformation

Amazon web services 是否通过cloudFormation模板启用日志记录S3？,amazon-web-services,amazon-s3,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon S3,Amazon Cloudformation,Amazon Iam,我正在尝试创建两个具有两种不同策略的存储桶一个bucket VendorsWGLogs将作为日志输出的目标另一个bucket VendorsWG将授予对指定IAM组的GetObject、PutObject和DeleteObject访问权以下是我到目前为止的情况： "Resources": { "VendorsWGLogs": { "Type": "AWS::S3::Bucket", "Properties": {}, }, "LogsBuck

我正在尝试创建两个具有两种不同策略的存储桶

一个bucket VendorsWGLogs将作为日志输出的目标

另一个bucket VendorsWG将授予对指定IAM组的GetObject、PutObject和DeleteObject访问权

以下是我到目前为止的情况：

"Resources": {
    "VendorsWGLogs": {
      "Type": "AWS::S3::Bucket",
      "Properties": {},
    },
    "LogsBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "VendorsWGLogs"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "WeatherGuidance LogBucket permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:s3:::VendorsWG"
              },
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
              ],
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ]
               ]}
            }
          ]
        }
      }
    },
    "VendorsWG": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "LoggingConfiguration": {
          "DestinationBucketName": {"Ref" : "VendorsWGLogs"},
          "LogFilePrefix": "testing-logs"
        }
      },
      "Metadata": {
        "AWS::CloudFormation::Designer": {
          "id": "a1169860-d743-406e-a3e5-e12831826439"
        },
      }
    },
    "S3BP4TNQZ": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "VendorsWG"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "WeatherGuidance Object permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:iam::someUserGroup"
              },
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
              ],
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ]
               ]}
            },
            {
              "Sid": "WeatherGuidance ListBucket",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:iam::someUserGroup"
              },
              "Action": "s3:ListBucket",
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ]
               ]},
              "Condition": {
                "StringLike": {
                  "s3:prefix": "weatherguidance*"
                }
              }
            }
          ]
        }
      }
    }
  }

当我试图创建一个堆栈时，我得到了这个错误

事件日志输出：

类型：

逻辑ID:

VendorsWG

身份原因：

You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

我认为将目标bucket的策略的主体指定为VendorsWGLogs可以解决这个问题，现在我已经没有主意了

我做错了什么？要启用日志记录，我可以做什么？

谢谢

我认为你的问题有两方面：

操作中没有

s3:ListBucket

，因此无法读取bucket的内容

s3 bucket上的操作在bucket（VendorsWGLogs）和contents（

VendorsWGLogs/*

）级别运行，因此您需要在参考资料下列出这两个操作。由此产生的策略应为

“资源”：[ “arn:aws:s3:：：VendorsWGLogs”， “arn:aws:s3:：：供应商WGLOGS/*” ]

需要将其置于日志存储桶的属性下

Properties: {
      AccessControl: "LogDeliveryWrite"
}

谢谢你的回复！我不明白你所说的#1是什么意思。同样，bucket应该列在参考资料下的何处？我将操作更改为使用通配符*，并添加了参考资料行，但仍然得到相同的错误。。。。

Properties: {
      AccessControl: "LogDeliveryWrite"
}