typescript - aws-cdk 的 Insufficients3bucketpolicyexception
问题描述
因此,我正在尝试创建一个解决方案,该解决方案创建一个允许 cloudtrail 登录到它的 s3 存储桶。我收到如下错误:
Incorrect S3 bucket policy is detected for bucket: accountbaselinestack-mastercloudtrailbucket24da1a-gbg32oqnp9kp (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException;
Request ID: 880aca54-2096-44c2-853b-0e6cf735a1ca; Proxy: null)
这是有问题的代码:
import * as sns from '@aws-cdk/aws-sns';
import * as subs from '@aws-cdk/aws-sns-subscriptions';
import * as sqs from '@aws-cdk/aws-sqs';
import * as s3 from '@aws-cdk/aws-s3'
import * as iam from '@aws-cdk/aws-iam'
import cdk = require('@aws-cdk/core');
import { Arn, Aws, CfnOutput } from "@aws-cdk/core";
import guardduty = require('@aws-cdk/aws-guardduty');
import sqsTargets = require('@aws-cdk/aws-sns-subscriptions');
import events = require('@aws-cdk/aws-events');
import eventTargets = require('@aws-cdk/aws-events-targets');
import cloudtrail = require('@aws-cdk/aws-cloudtrail')
import logs = require('@aws-cdk/aws-logs')
import { PolicyDocument } from '@aws-cdk/aws-iam';
import { RequireApproval } from 'aws-cdk/lib/diff';
import { CfnBucketPolicy } from '@aws-cdk/aws-s3';
// I need to find a way to use this for the emailsub
// export interface guardDutyAccountProps{
// email:string
// }
const contactEmail = 'testEmailHere@test.com'
export class AccountBaselineStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new guardduty.CfnDetector(this, "GuardDutyDetector", { enable: true })
const mainCloudWatchRole = new iam.Role(this,'mainCloudWatchRole',{
assumedBy: new iam.ServicePrincipal('cloudtrail.amazonaws.com')
})
mainCloudWatchRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLogsFullAccess'))
const guardDutyTopic = new sns.Topic(this, "GuardDutyNotificationTopic");
guardDutyTopic.addSubscription(new subs.EmailSubscription(contactEmail));
const eventRule = new events.Rule(this, "GuardDutyEventRule", {
eventPattern: {
source: ["aws.guardduty"],
detailType: ["GuardDuty Finding"],
}
})
const awsAccountID = Aws.ACCOUNT_ID.toString();
eventRule.addTarget(new eventTargets.SnsTopic(guardDutyTopic, {
message: events.RuleTargetInput.fromText(`WARNING: AWS GuardDuty has discovered a ${events.EventField.fromPath('$.detail.type')} security issue for (${events.EventField.fromPath('$.region')}). Please go to https://${events.EventField.fromPath('$.region')}.console.aws.amazon.com/guardduty/ to find out more details.`)
}));
const masterCloudtrailBucket = new s3.Bucket(this,'mastercloudtrailbucket',{
bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
})
const mainCloudTrailLogGroup = new logs.LogGroup(this,'cloudTrailLogGroup',{
logGroupName: cdk.PhysicalName.GENERATE_IF_NEEDED,
retention: logs.RetentionDays.ONE_YEAR
})
const mainCloudTrail = new cloudtrail.CfnTrail(this,'mainCloudTrail', {
trailName: 'mainCloudTrail',
isLogging: true,
s3BucketName: masterCloudtrailBucket.bucketName,
cloudWatchLogsRoleArn: mainCloudWatchRole.roleArn,
cloudWatchLogsLogGroupArn:mainCloudTrailLogGroup.logGroupArn,
isMultiRegionTrail:true,
includeGlobalServiceEvents: true
})
new CfnBucketPolicy(this,'MasterCloudtrailBucketPolicy',{
policyDocument:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": masterCloudtrailBucket.bucketArn,
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": masterCloudtrailBucket.bucketArn + "/AWSLogs/029534166073/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
},
bucket: masterCloudtrailBucket.bucketName,
})
masterCloudtrailBucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:GetBucketAcl'],
resources: [masterCloudtrailBucket.bucketArn],
principals: [new iam.ServicePrincipal('cloudtrail.amazonaws.com')]
}));
}}
我已经使用了我试图在 GUI 下面使用的确切策略,但它似乎无法通过 AWS-CDK 工作。谢谢大家。
解决方案
推荐阅读
- vue.js - 如何在 vuetify 中更改子页面的标题?
- r - 将自定义 R 脚本部署为 Web 服务 Azure ML Studio
- themes - 找不到类型或命名空间名称“DotNetNuke”
- python - Mainloop 似乎只在 tkinter 中运行一次
- powershell - 使用 PowerShell 通过 CSV 将多个 AD 用户添加到多个组 列是组名而不是标题 组名下的用户
- sharepoint - Sharepoint 列表中的列验证
- javascript - 无法在 JS 中暂停音频播放
- r - 用循环填充最后一个已知存储字段的 NA
- c - 如何有效地遍历 base-2 向量
- linux - Linux Nginx 反向代理不提供自定义 error.html