Amazon web services 是否通过cloudFormation模板启用日志记录S3?
我正在尝试创建两个具有两种不同策略的存储桶 一个bucket VendorsWGLogs将作为日志输出的目标 另一个bucket VendorsWG将授予对指定IAM组的GetObject、PutObject和DeleteObject访问权 以下是我到目前为止的情况:Amazon web services 是否通过cloudFormation模板启用日志记录S3?,amazon-web-services,amazon-s3,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon S3,Amazon Cloudformation,Amazon Iam,我正在尝试创建两个具有两种不同策略的存储桶 一个bucket VendorsWGLogs将作为日志输出的目标 另一个bucket VendorsWG将授予对指定IAM组的GetObject、PutObject和DeleteObject访问权 以下是我到目前为止的情况: "Resources": { "VendorsWGLogs": { "Type": "AWS::S3::Bucket", "Properties": {}, }, "LogsBuck
"Resources": {
"VendorsWGLogs": {
"Type": "AWS::S3::Bucket",
"Properties": {},
},
"LogsBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWGLogs"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance LogBucket permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:s3:::VendorsWG"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ]
]}
}
]
}
}
},
"VendorsWG": {
"Type": "AWS::S3::Bucket",
"Properties": {
"LoggingConfiguration": {
"DestinationBucketName": {"Ref" : "VendorsWGLogs"},
"LogFilePrefix": "testing-logs"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a1169860-d743-406e-a3e5-e12831826439"
},
}
},
"S3BP4TNQZ": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWG"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance Object permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ]
]}
},
{
"Sid": "WeatherGuidance ListBucket",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": "s3:ListBucket",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ]
]},
"Condition": {
"StringLike": {
"s3:prefix": "weatherguidance*"
}
}
}
]
}
}
}
}
当我试图创建一个堆栈时,我得到了这个错误
事件日志输出:
类型:
逻辑ID:
VendorsWG
身份原因:
You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket
我认为将目标bucket的策略的主体指定为VendorsWGLogs可以解决这个问题,现在我已经没有主意了
我做错了什么?要启用日志记录,我可以做什么?
谢谢我认为你的问题有两方面:
s3:ListBucket
,因此无法读取bucket的内容VendorsWGLogs/*
)级别运行,因此您需要在参考资料下列出这两个操作。由此产生的策略应为
“资源”:[
“arn:aws:s3:::VendorsWGLogs”,
“arn:aws:s3:::供应商WGLOGS/*”
]需要将其置于日志存储桶的属性下
Properties: {
AccessControl: "LogDeliveryWrite"
}
谢谢你的回复!我不明白你所说的#1是什么意思。同样,bucket应该列在参考资料下的何处?我将操作更改为使用通配符*,并添加了参考资料行,但仍然得到相同的错误。。。。
Properties: {
AccessControl: "LogDeliveryWrite"
}