CloudFormation 存储桶策略 - 缺少必填字段 "Effect"
CloudFormation Bucket Policy- Missing required field "Effect"
我尝试将以下代码部署到 CloudFormation。
出于某种原因,它坚持认为我的模板中缺少一个关键元素。
自从我修改了资源 S3NotificationBucketPolicy 中的存储桶策略后,我才开始收到此错误。
任何见解都会很棒。
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"S3NotificationBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3NotificationBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150318",
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3NotificationBucket"
}]]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
}
},
{
"Sid": "AWSCloudTrailWrite20150318",
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3NotificationBucket"
},
"/*"]]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}]
}]
}
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
}
},
"S3NotificationBucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
}
},
"S3BucketPolicyForCloudTrail": {
"DependsOn": "S3Bucket",
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
}]]
}
},
{
"Sid": "Permissions fot Cloudtrail",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:*",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"]]
}
}]
}
}
},
"CloudTrailForS3": {
"DependsOn": ["S3NotificationBucketPolicy",
"S3BucketPolicyForCloudTrail"],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EventSelectors": [{
"DataResources": [{
"Type": "AWS::S3::Object",
"Values": [{
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"]]
}]
}],
"ReadWriteType": "All",
"IncludeManagementEvents": false
}],
"S3BucketName": {
"Ref": "S3NotificationBucket"
},
"IsLogging": true,
"IncludeGlobalServiceEvents": true
}
}
}
}
它失败并显示以下消息,即使我已经说明了所需的元素。
Missing required field Effect (Service: Amazon S3; Status Code: 400; Error
Code: MalformedPolicy; Request ID: B44FBDB00CA6AFDD; S3 Extended Request ID:
jglPqCY9LCEOvIz5v7d2vyFbeaaelNVgahs7nGtYg5NJR20FRfef4m0lgtzqZEMyltI7d9T1g4s=)`
您的问题是 S3NotificationBucketPolicy 政策文件有一个额外的 Version 和 Statement:
"S3NotificationBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3NotificationBucket"
},
"PolicyDocument": {
"Version": "2012-10-17", <-- Here
"Statement": [{
"Version": "2012-10-17", <-- And here
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150318",
删除其中一个(以及匹配的右括号)就可以了。
我尝试将以下代码部署到 CloudFormation。 出于某种原因,它坚持认为我的模板中缺少一个关键元素。
自从我修改了资源 S3NotificationBucketPolicy 中的存储桶策略后,我才开始收到此错误。
任何见解都会很棒。
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"S3NotificationBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3NotificationBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150318",
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3NotificationBucket"
}]]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
}
},
{
"Sid": "AWSCloudTrailWrite20150318",
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3NotificationBucket"
},
"/*"]]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}]
}]
}
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
}
},
"S3NotificationBucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
}
},
"S3BucketPolicyForCloudTrail": {
"DependsOn": "S3Bucket",
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
}]]
}
},
{
"Sid": "Permissions fot Cloudtrail",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:*",
"Resource": {
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"]]
}
}]
}
}
},
"CloudTrailForS3": {
"DependsOn": ["S3NotificationBucketPolicy",
"S3BucketPolicyForCloudTrail"],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EventSelectors": [{
"DataResources": [{
"Type": "AWS::S3::Object",
"Values": [{
"Fn::Join": ["",
["arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"]]
}]
}],
"ReadWriteType": "All",
"IncludeManagementEvents": false
}],
"S3BucketName": {
"Ref": "S3NotificationBucket"
},
"IsLogging": true,
"IncludeGlobalServiceEvents": true
}
}
}
}
它失败并显示以下消息,即使我已经说明了所需的元素。
Missing required field Effect (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: B44FBDB00CA6AFDD; S3 Extended Request ID: jglPqCY9LCEOvIz5v7d2vyFbeaaelNVgahs7nGtYg5NJR20FRfef4m0lgtzqZEMyltI7d9T1g4s=)`
您的问题是 S3NotificationBucketPolicy 政策文件有一个额外的 Version 和 Statement:
"S3NotificationBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3NotificationBucket"
},
"PolicyDocument": {
"Version": "2012-10-17", <-- Here
"Statement": [{
"Version": "2012-10-17", <-- And here
"Statement": [{
"Sid": "AWSCloudTrailAclCheck20150318",
删除其中一个(以及匹配的右括号)就可以了。