在 CloudFormation 中为存储桶检测到不正确的 S3 存储桶策略

Question

我在通过 Cloudformation 实施 CloudTrail 时遇到问题，当我尝试启动模型时，检测到不正确的 S3 存储桶策略引发存储桶错误。

这是 BucketPolicy 的配置：

"LogBucketPolicy": {
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "LogBucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "AWSCloudTrailAclCheck",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:GetBucketAcl",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    }
                                ]
                            ]
                        }
                    },
                    {
                        "Sid": "AWSCloudTrailWrite",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:PutObject",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    },
                                    "/AWSLogs/139339407673/*"
                                ]
                            ]
                        },
                        "Condition": {
                            "StringEquals": {
                                "s3:x-amz-acl": "bucket-owner-full-control"
                            }
                        }
                    }
                ]
            }
        }
    }

我已经从 AWS 示例中复制了模板，但如果我在实施过程中犯了错误，请告诉我。

编辑：错误不是由存储桶策略引发的，而是由 CloudTrail 引发的。这是桶的配置：

"Trail": {
        "Type": "AWS::CloudTrail::Trail",
        "Properties": {
            "SnsTopicName": {
                "Fn::GetAtt": [
                    "Topic",
                    "TopicName"
                ]
            },
            "IsLogging": true,
            "S3BucketName": {
                "Ref": "LogBucket"
            }
        },
        "DependsOn": [
            "LogBucket"
        ]
    }

Answer 1

我修改了你的代码，它似乎对我有用。你能试试这个吗？

{
  "Parameters": {
    "LogBucket": {
      "Description": "Name Bucket.",
      "Type": "String"
    }
  },
  "Resources": {
    "LogBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
                "Ref": "LogBucket"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    }
                  ]
                ]
              }
            },
            {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    },
                    "/AWSLogs/139339407673/*"
                  ]
                ]
              },
              "Condition": {
                "StringEquals": {
                  "s3:x-amz-acl": "bucket-owner-full-control"
                }
              }
            }
          ]
        }
      }
    }
  }
}

Answer 2

正如 Krishna 所提到的，错误来自于我没有放置 BucketPolicy 的依赖项。完成后，堆栈部署没有问题。

Answer 3

除了接受的答案中提到的依赖性问题外，错误还可能来自 S3 策略配置错误的不同情况。

例如，如果我们查看以下政策：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::myBucketName"
    },
    {
      "Sid": "AWSCloudTrailWrite20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"
      "Condition": { 
        "StringEquals": { 
          "s3:x-amz-acl": "bucket-owner-full-control" 
        }
      }
    }
  ]
}

查看第二个语句的 Resource 块：

 "Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"

将错误的值传递给资源块，例如错误的前缀（我的情况）或忘记 "*" 后缀（如上一个场景中提到的 here） 会导致错误。

(*) 示例取自 here.

在 CloudFormation 中为存储桶检测到不正确的 S3 存储桶策略

Incorrect S3 bucket policy is detected for bucket in CloudFormation

amazon-s3

amazon-web-services

amazon-cloudformation