Amazon web services CloudFormation CloudTrail S3策略错误-检测到bucket的S3 bucket策略不正确
提前谢谢 我整个周末都在忙这个。。我正在尝试在cloudformation中创建cloudtrail服务,但在运行时收到此错误-检测到bucket的S3 bucket策略不正确:s3bucket-xxxxxx 这是我的密码Amazon web services CloudFormation CloudTrail S3策略错误-检测到bucket的S3 bucket策略不正确,amazon-web-services,amazon-s3,amazon-cloudformation,amazon-cloudtrail,Amazon Web Services,Amazon S3,Amazon Cloudformation,Amazon Cloudtrail,提前谢谢 我整个周末都在忙这个。。我正在尝试在cloudformation中创建cloudtrail服务,但在运行时收到此错误-检测到bucket的S3 bucket策略不正确:s3bucket-xxxxxx 这是我的密码 "s3bucket-xxxxxx": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "VersioningConfigurati
"s3bucket-xxxxxx": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"VersioningConfiguration": {
"Status": "Suspended"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"s3policytraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "s3bucket-xxxxxx"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"trailtraillogs": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IncludeGlobalServiceEvents": true,
"IsLogging": "true",
"S3BucketName": {
"Ref": "s3bucket-xxxxxx"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
}
要解决此问题,需要使用引用将资源连接到bucket
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "s3traillogs"
}, "/AWSLogs/XXXXXXXXXXX/*"
]
]
}],
根据资源定义,YAML可能为:
EventBucketStorage:
Type: "AWS::S3::Bucket"
Properties:
#AccessControl: PublicRead
MetricsConfigurations:
- Id: EventBucketStorageMetrics
BucketName: !Sub "s3-event-step-bucket-storage-s"
EventBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref EventBucketStorage
PolicyDocument:
Version: 2012-10-17
Statement:
-
Sid: "AWSCloudTrailAclCheck20150319"
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
-
Sid: AWSCloudTrailWrite20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Join
- ""
- - "arn:aws:s3:::"
- !Ref EventBucketStorage
- /*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
您还可以检查该链接。上述错误也可能是由于: 1)跟踪和存储桶之间的依赖关系问题 这可以通过参考轨迹中的铲斗来解决:
"DependsOn": [
"TheLogBucket"
]
2)存储桶策略的配置不正确
例如,在第2条语句中:“Resource:”arn:aws:s3:::myBucketName//AWSLogs/
(**)请确保遵守。版本配置的预期目的是什么:{“状态”:“暂停”}
?似乎不太可能创建一个暂停版本控制的bucket。嘿,Michael,谢谢你回复我,这只是cloudformer生成的东西,需要不同的值吗?我只是凭直觉操作。bucket上的版本控制只有在第一次启用后才能暂停d--我想。但事实上,错误是关于策略的,所以我可能误导了您。我将更仔细地检查策略部分。我想知道您是否不需要像“Resource”:[{“Fn::Join”:[“”,[“arn:aws:s3:::,{”Ref:“s3bucket-xxxxxx”这样的东西来构建arn“},”/AWSLogs/XXXXXXXX/*“]
在第二条语句中,以及类似的语句中,但在第一条语句中没有最后一个字符串。恐怕我真的看不出问题所在,否则。谢谢你的帮助,Michael!