我正在嘗試創建兩個不同策略的桶。通過cloudFormation模板啓用日誌記錄S3?
一個桶(VendorsWGLogs)將成爲日誌輸出的目的地。
另一個存儲桶VendorsWG將使GetObject,PutObject和DeleteObject訪問指定的IAM組。
這是我到目前爲止有:
"Resources": {
"VendorsWGLogs": {
"Type": "AWS::S3::Bucket",
"Properties": {},
},
"LogsBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWGLogs"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance LogBucket permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:s3:::VendorsWG"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ]
]}
}
]
}
}
},
"VendorsWG": {
"Type": "AWS::S3::Bucket",
"Properties": {
"LoggingConfiguration": {
"DestinationBucketName": {"Ref" : "VendorsWGLogs"},
"LogFilePrefix": "testing-logs"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a1169860-d743-406e-a3e5-e12831826439"
},
}
},
"S3BP4TNQZ": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWG"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance Object permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ]
]}
},
{
"Sid": "WeatherGuidance ListBucket",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": "s3:ListBucket",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ]
]},
"Condition": {
"StringLike": {
"s3:prefix": "weatherguidance*"
}
}
}
]
}
}
}
}
事件日誌輸出:
類型:
AWS::S3::Bucket
邏輯ID:
VendorsWG
狀態的原因:
You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket
我認爲指定目標水桶的政策的主要爲VendorsWGLogs可以解決這個問題,現在我的想法。
我在做什麼錯?我能做些什麼來啓用日誌記錄? 感謝
感謝您的迴應! 我不明白你的意思#1 此外,該桶應列在資源下? – c0de
我改變了操作以使用通配符*,並且我添加了資源行,但是我仍然得到相同的錯誤.... – c0de
這只是錯誤的。我找到了答案 – c0de