提前致谢!
我整个周末都被困在这个问题上。我正在尝试在 cloudformation 中创建 cloudtrail 服务,但在运行时收到此错误 - 检测到存储桶的 S3 存储桶策略不正确:s3bucket-xxxxxx
这是我的代码;
"s3bucket-xxxxxx": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"VersioningConfiguration": {
"Status": "Suspended"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"s3policytraillogs": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "s3bucket-xxxxxx"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
},
"trailtraillogs": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IncludeGlobalServiceEvents": true,
"IsLogging": "true",
"S3BucketName": {
"Ref": "s3bucket-xxxxxx"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "XXXX"
}
}
}
最佳答案
要解决此问题,需要使用引用将资源连接到存储桶
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "s3traillogs"
}, "/AWSLogs/XXXXXXXXXXX/*"
]
]
}],
关于amazon-web-services - CloudFormation CloudTrail S3 策略错误 - 检测到存储桶的 S3 存储桶策略不正确,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43980042/