我正在尝试获取所有 S3 存储桶数据的 cloudtrail,但它一直抛出错误。模板如下所示:
DataTrail:
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudtrailLogGroupARN
CloudWatchLogsRoleArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailLogsRoleARN
EnableLogFileValidation: true
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- 'arn:aws:s3:::*'
- IncludeManagementEvents: false
- ReadWriteType: All
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
KMSKeyId:
Fn::ImportValue:
!Sub ${EnvironmentName}-InvoicegenKey-CMK-Arn
S3BucketName:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailBucket-Name
AWS Doku 说它必须是字符串列表,所以我这样做了:
Values:
- 'arn:aws:s3:::*'
但它总是失败......
提前致谢
一个
最佳答案
最后这很容易;我刚刚通过控制台创建了一条跟踪,然后使用 aws cloudtrail get-event-selectors --trail-name <name>得到结果。然后将其转移到我的模板中,如下所示:
DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3
关于aws-cloudformation - 为 Cloudtrail 设置事件值 - 所有 S3 存储桶,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52919394/