我正在尝试构建一个Cloudformation模板,其中CloudTrail将我的VPC中的日志存储在S3 Bucket中。当我尝试启动模型时,我得到了一个针对存储桶策略的“遇到不受支持的属性声明”。
这是我使用的JSON:
"LogBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "LogBucket"
},
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
}
]
]
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
},
"/AWSLogs/",
"XXXXXXXXXXXX",
"/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
此模板取自AWS example,因此我对我犯了一个错误感到有点困惑。
问题是对于AWS::S3::BucketPolicy类型,预期的属性是Bucket和PolicyDocument。在模板中,您没有PolicyDocument。相反,你有声明。那应该解决这个问题。可以在here找到CloudFormation模板参考。
可以在下面找到Bucket政策片段(我指的是):
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : {"Ref" : "S3Bucket"},
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{