amazon-web-services - 通过 cloudFormation 模板启用日志记录 S3?

标签 amazon-web-services amazon-s3 aws-cloudformation amazon-iam

我正在尝试创建 2 个具有 2 个不同策略的存储桶。

一个存储桶 VendorsWGLogs 将作为日志输出的目的地。

另一个存储桶 VendorsWG 将向 GetObject、PutObject 和 DeleteObject 授予对指定 IAM 组的访问权限。

这是我到目前为止所拥有的:

"Resources": {
    "VendorsWGLogs": {
      "Type": "AWS::S3::Bucket",
      "Properties": {},
    },
    "LogsBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "VendorsWGLogs"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "WeatherGuidance LogBucket permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:s3:::VendorsWG"
              },
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
              ],
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ]
               ]}
            }
          ]
        }
      }
    },
    "VendorsWG": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "LoggingConfiguration": {
          "DestinationBucketName": {"Ref" : "VendorsWGLogs"},
          "LogFilePrefix": "testing-logs"
        }
      },
      "Metadata": {
        "AWS::CloudFormation::Designer": {
          "id": "a1169860-d743-406e-a3e5-e12831826439"
        },
      }
    },
    "S3BP4TNQZ": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "VendorsWG"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "WeatherGuidance Object permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:iam::someUserGroup"
              },
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
              ],
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ]
               ]}
            },
            {
              "Sid": "WeatherGuidance ListBucket",
              "Effect": "Allow",
              "Principal": {
                "AWS" : "arn:aws:iam::someUserGroup"
              },
              "Action": "s3:ListBucket",
              "Resource" : { "Fn::Join" : [
                  "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ]
               ]},
              "Condition": {
                "StringLike": {
                  "s3:prefix": "weatherguidance*"
                }
              }
            }
          ]
        }
      }
    }
  }

当我尝试创建堆栈时,出现此错误 enter image description here

事件日志输出:

类型:

AWS::S3::Bucket

逻辑ID:

VendorsWG

状态原因:

You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

我认为将目标存储桶的策略主体指定为 VendorsWGLogs 可以解决此问题,但现在我没有主意了。

我做错了什么?我该怎么做才能启用日志记录? 谢谢

最佳答案

需要将其放在日志存储桶的属性下

Properties: {
      AccessControl: "LogDeliveryWrite"
}

关于amazon-web-services - 通过 cloudFormation 模板启用日志记录 S3?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42846333/

上一篇:asp-classic - Server.MapPath不返回预期路径

下一篇:doctrine-orm - Doctrine2 - 没有要处理的元数据类

相关文章:

rest - Amazon S3 更改文件下载名称

amazon-web-services - 使用 AWS S3 签名 url 获取上传进度

amazon-web-services - 使用 Cloudformation 为 EBS 快照创建 Cloudwatch 事件

amazon-web-services - 何时显式使用 boto3 session

amazon-web-services - 有没有办法从子网列表中选择在 CloudFormation 中启动 EC2 实例?

amazon-web-services - 使用 Amazon S3 SignedURL 从浏览器客户端 PUT 文件是否安全?

Android 错误 : "Could not create epoll instance", 或 "Could not create wake pipe"

amazon-web-services - 如何在CloudFormation中获取SSM文档的ARN?

amazon-web-services - 如何为每个 ElasticBeanstalk 环境添加唯一的 DynamoDB 表名称前缀

sql-server - AWS/Azure 中的大规模分布式应用程序

©2024 IT工具网  联系我们