Enable logging S3 via cloudFormation template?
Solution 1
Needed to put this under the log bucket's properties
Properties: {
AccessControl: "LogDeliveryWrite"
}
Solution 2
I think your problem is two fold:
- There is no
s3:ListBucket
in the actions therefore the contents of the bucket can not be read Actions on s3 buckets are run at a bucket (VendorsWGLogs) and contents (
VendorsWGLogs/*
) level and you therefore need to list both of them under resources. The resulting policy should read"Resource": [ "arn:aws:s3:::VendorsWGLogs", "arn:aws:s3:::VendorsWGLogs/*" ]
c0de
Updated on June 09, 2022Comments
-
c0de almost 2 years
I am trying to create 2 buckets with 2 different policies.
One bucket, VendorsWGLogs, will be the destination for log output.
The other bucket, VendorsWG, will give GetObject, PutObject, and DeleteObject access to a specified IAM group.
Here is what I have so far:
"Resources": { "VendorsWGLogs": { "Type": "AWS::S3::Bucket", "Properties": {}, }, "LogsBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "VendorsWGLogs" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "WeatherGuidance LogBucket permissions", "Effect": "Allow", "Principal": { "AWS" : "arn:aws:s3:::VendorsWG" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ] ]} } ] } } }, "VendorsWG": { "Type": "AWS::S3::Bucket", "Properties": { "LoggingConfiguration": { "DestinationBucketName": {"Ref" : "VendorsWGLogs"}, "LogFilePrefix": "testing-logs" } }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "a1169860-d743-406e-a3e5-e12831826439" }, } }, "S3BP4TNQZ": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "VendorsWG" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "WeatherGuidance Object permissions", "Effect": "Allow", "Principal": { "AWS" : "arn:aws:iam::someUserGroup" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ] ]} }, { "Sid": "WeatherGuidance ListBucket", "Effect": "Allow", "Principal": { "AWS" : "arn:aws:iam::someUserGroup" }, "Action": "s3:ListBucket", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ] ]}, "Condition": { "StringLike": { "s3:prefix": "weatherguidance*" } } } ] } } } }
When I try to create a stack, I get this error
Event Log output:
Type:
AWS::S3::Bucket
Logical ID:
VendorsWG
Status reason:
You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket
I thought that specifying the target bucket's policy's principal as VendorsWGLogs would fix this, and now I am out of ideas.
What am I doing wrong? What can I do to get logging enabled? Thanks
-
c0de about 7 yearsThanks for your response! I don't understand what you mean by #1 Also, the bucket should be listed under resources where?
-
c0de about 7 yearsI changed actions to use the wildcard, *, and I added the Resource line, but I still am getting the same error....