1. 首頁
  2. 問答
  3. 通過cloudFormation模板啓用日誌記錄S3?

通過cloudFormation模板啓用日誌記錄S3?

2017-03-16 102 views
0

我正在嘗試創建兩個不同策略的桶。通過cloudFormation模板啓用日誌記錄S3?

一個桶(VendorsWGLogs)將成爲日誌輸出的目的地。

另一個存儲桶VendorsWG將使GetObject,PutObject和DeleteObject訪問指定的IAM組。

這是我到目前爲止有:

"Resources": { 
    "VendorsWGLogs": { 
     "Type": "AWS::S3::Bucket", 
     "Properties": {}, 
    }, 
    "LogsBucketPolicy": { 
     "Type": "AWS::S3::BucketPolicy", 
     "Properties": { 
     "Bucket": { 
      "Ref": "VendorsWGLogs" 
     }, 
     "PolicyDocument": { 
      "Version": "2012-10-17", 
      "Statement": [ 
      { 
       "Sid": "WeatherGuidance LogBucket permissions", 
       "Effect": "Allow", 
       "Principal": { 
       "AWS" : "arn:aws:s3:::VendorsWG" 
       }, 
       "Action": [ 
       "s3:GetObject", 
       "s3:PutObject", 
       "s3:PutObjectAcl" 
       ], 
       "Resource" : { "Fn::Join" : [ 
        "", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ] 
       ]} 
      } 
      ] 
     } 
     } 
    }, 
    "VendorsWG": { 
     "Type": "AWS::S3::Bucket", 
     "Properties": { 
     "LoggingConfiguration": { 
      "DestinationBucketName": {"Ref" : "VendorsWGLogs"}, 
      "LogFilePrefix": "testing-logs" 
     } 
     }, 
     "Metadata": { 
     "AWS::CloudFormation::Designer": { 
      "id": "a1169860-d743-406e-a3e5-e12831826439" 
     }, 
     } 
    }, 
    "S3BP4TNQZ": { 
     "Type": "AWS::S3::BucketPolicy", 
     "Properties": { 
     "Bucket": { 
      "Ref": "VendorsWG" 
     }, 
     "PolicyDocument": { 
      "Version": "2012-10-17", 
      "Statement": [ 
      { 
       "Sid": "WeatherGuidance Object permissions", 
       "Effect": "Allow", 
       "Principal": { 
       "AWS" : "arn:aws:iam::someUserGroup" 
       }, 
       "Action": [ 
       "s3:GetObject", 
       "s3:PutObject", 
       "s3:DeleteObject" 
       ], 
       "Resource" : { "Fn::Join" : [ 
        "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ] 
       ]} 
      }, 
      { 
       "Sid": "WeatherGuidance ListBucket", 
       "Effect": "Allow", 
       "Principal": { 
       "AWS" : "arn:aws:iam::someUserGroup" 
       }, 
       "Action": "s3:ListBucket", 
       "Resource" : { "Fn::Join" : [ 
        "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ] 
       ]}, 
       "Condition": { 
       "StringLike": { 
        "s3:prefix": "weatherguidance*" 
       } 
       } 
      } 
      ] 
     } 
     } 
    } 
    }

當我嘗試創建一個堆,我得到這個錯誤enter image description here

事件日誌輸出:

類型:

AWS::S3::Bucket

邏輯ID:

VendorsWG

狀態的原因:

You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

我認爲指定目標水桶的政策的主要爲VendorsWGLogs可以解決這個問題,現在我的想法。

我在做什麼錯?我能做些什麼來啓用日誌記錄? 感謝

來源

2017-03-16 c0de

回答

1

需要將此置於日誌桶的屬性下

Properties: { 
     AccessControl: "LogDeliveryWrite" 
}

來源

2017-03-22 22:58:47 c0de

1

我覺得你的問題是雙重的:

  1. 沒有S3:ListBucket在
  2. 在S3桶

    操作在運行,因此桶的內容不能被讀取

    3. 行動(VendorsWGLogs)和內容(VendorsWGLogs/*)級別,因此您需要在資源下列出它們。所得到的政策應該讀

    「資源」:[ 「阿爾恩:AWS:S3 ::: VendorsWGLogs」, 「ARN:AWS:S3 ::: VendorsWGLogs/*」 ]

來源

2017-03-16 23:36:48 mitramnut

+0

感謝您的迴應! 我不明白你的意思#1 此外,該桶應列在資源下? – c0de

+0

我改變了操作以使用通配符*,並且我添加了資源行,但是我仍然得到相同的錯誤.... – c0de

+0

這只是錯誤的。我找到了答案 – c0de

相關問題

 相關問題