时间戳

首页 > 解决方案 > aws-cdk 的 Insufficients3bucketpolicyexception

typescript - aws-cdk 的 Insufficients3bucketpolicyexception

问题描述

因此,我正在尝试创建一个解决方案,该解决方案创建一个允许 cloudtrail 登录到它的 s3 存储桶。我收到如下错误:

Incorrect S3 bucket policy is detected for bucket: accountbaselinestack-mastercloudtrailbucket24da1a-gbg32oqnp9kp (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException;
Request ID: 880aca54-2096-44c2-853b-0e6cf735a1ca; Proxy: null)

这是有问题的代码:

import * as sns from '@aws-cdk/aws-sns';
import * as subs from '@aws-cdk/aws-sns-subscriptions';
import * as sqs from '@aws-cdk/aws-sqs';
import * as s3 from '@aws-cdk/aws-s3'
import * as iam from '@aws-cdk/aws-iam'
import cdk = require('@aws-cdk/core');
import { Arn, Aws, CfnOutput } from "@aws-cdk/core";

import guardduty = require('@aws-cdk/aws-guardduty');
import sqsTargets = require('@aws-cdk/aws-sns-subscriptions');
import events = require('@aws-cdk/aws-events');
import eventTargets = require('@aws-cdk/aws-events-targets');
import cloudtrail = require('@aws-cdk/aws-cloudtrail')
import logs = require('@aws-cdk/aws-logs')
import { PolicyDocument } from '@aws-cdk/aws-iam';
import { RequireApproval } from 'aws-cdk/lib/diff';
import { CfnBucketPolicy } from '@aws-cdk/aws-s3';





// I need to find a way to use this for the emailsub 
// export interface guardDutyAccountProps{
//   email:string
// }



const contactEmail = 'testEmailHere@test.com'



export class AccountBaselineStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    new guardduty.CfnDetector(this, "GuardDutyDetector", { enable: true })

    const mainCloudWatchRole = new iam.Role(this,'mainCloudWatchRole',{
      assumedBy: new iam.ServicePrincipal('cloudtrail.amazonaws.com')
      
    })
    mainCloudWatchRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLogsFullAccess'))

    const guardDutyTopic = new sns.Topic(this, "GuardDutyNotificationTopic");
        guardDutyTopic.addSubscription(new subs.EmailSubscription(contactEmail));
        const eventRule = new events.Rule(this, "GuardDutyEventRule", {
            eventPattern: {
                source: ["aws.guardduty"],
                detailType: ["GuardDuty Finding"],

            }
          })
          const awsAccountID = Aws.ACCOUNT_ID.toString();

        eventRule.addTarget(new eventTargets.SnsTopic(guardDutyTopic, {
        message: events.RuleTargetInput.fromText(`WARNING: AWS GuardDuty has discovered a ${events.EventField.fromPath('$.detail.type')} security issue for  (${events.EventField.fromPath('$.region')}). Please go to https://${events.EventField.fromPath('$.region')}.console.aws.amazon.com/guardduty/ to find out more details.`)
        }));
        const masterCloudtrailBucket = new s3.Bucket(this,'mastercloudtrailbucket',{
          bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
          
        })
        
    
      const mainCloudTrailLogGroup = new logs.LogGroup(this,'cloudTrailLogGroup',{
        logGroupName: cdk.PhysicalName.GENERATE_IF_NEEDED,
        retention: logs.RetentionDays.ONE_YEAR
      })
      
      const mainCloudTrail = new cloudtrail.CfnTrail(this,'mainCloudTrail', {
        trailName: 'mainCloudTrail',
        isLogging: true,
        s3BucketName: masterCloudtrailBucket.bucketName,
        cloudWatchLogsRoleArn: mainCloudWatchRole.roleArn,
        cloudWatchLogsLogGroupArn:mainCloudTrailLogGroup.logGroupArn,
        isMultiRegionTrail:true,
        includeGlobalServiceEvents: true
      })
      new CfnBucketPolicy(this,'MasterCloudtrailBucketPolicy',{
        policyDocument:{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AWSCloudTrailAclCheck20150319",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "cloudtrail.amazonaws.com"
                  },
                  "Action": "s3:GetBucketAcl",
                  "Resource": masterCloudtrailBucket.bucketArn,
              },
              {
                  "Sid": "AWSCloudTrailWrite20150319",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "cloudtrail.amazonaws.com"
                  },
                  "Action": "s3:PutObject",
                  "Resource": masterCloudtrailBucket.bucketArn + "/AWSLogs/029534166073/*",
                  "Condition": {
                      "StringEquals": {
                          "s3:x-amz-acl": "bucket-owner-full-control"
                      }
                  }
              }
          ]
      },
        bucket: masterCloudtrailBucket.bucketName,
        

      })
        masterCloudtrailBucket.addToResourcePolicy(new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: ['s3:GetBucketAcl'],
          resources: [masterCloudtrailBucket.bucketArn],
          principals: [new iam.ServicePrincipal('cloudtrail.amazonaws.com')]
        }));
    
      }}

我已经使用了我试图在 GUI 下面使用的确切策略,但它似乎无法通过 AWS-CDK 工作。谢谢大家。

标签: typescriptaws-cdk

解决方案

推荐阅读