我尝试使用 Terraform 在组织级别创建 CloudTrail,但遇到与 S3 存储桶策略相关的错误。 我尝试使用 AWS Docs 作为策略,尝试使用我手动创建的 S3 存储桶中的策略进行跟踪记录,但没有成功。
# Create the S3 bucket for CloudTrail logs
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "${var.organization_name}-cloudtrail-logs"
}
# Apply server-side encryption using AWS-managed keys (SSE-S3)
resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket_sse" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
# Block public access for this S3 bucket
resource "aws_s3_bucket_public_access_block" "cloudtrail_bucket_block_acl" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
restrict_public_buckets = true
ignore_public_acls = true
block_public_acls = true
block_public_policy = true
}
# Bucket policy for CloudTrail logging
resource "aws_s3_bucket_policy" "cloudtrail_bucket_policy" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "${aws_s3_bucket.cloudtrail_bucket.arn}",
"Condition": {
"StringEquals": {
"aws:SourceArn": "${aws_cloudtrail.cloudtrail.arn}/${aws_cloudtrail.cloudtrail.name}"
}
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "${aws_s3_bucket.cloudtrail_bucket.arn}/AWSLogs/${var.account_id}/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "${aws_cloudtrail.cloudtrail.arn}/${aws_cloudtrail.cloudtrail.name}",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSCloudTrailOrganizationWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "${aws_s3_bucket.cloudtrail_bucket.arn}/AWSLogs/${var.organization_id}/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "${aws_cloudtrail.cloudtrail.arn}/${aws_cloudtrail.cloudtrail.name}",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
})
}
# CloudTrail resource
resource "aws_cloudtrail" "cloudtrail" {
name = "${var.organization_name}-organizational-Trail"
s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
is_organization_trail = true
event_selector {
read_write_type = "WriteOnly"
include_management_events = true
}
}
还有同样的错误:
Error: creating CloudTrail Trail: operation error CloudTrail: CreateTrail, https response error StatusCode: 400, RequestID: fcc97f0b-483b-4eaa-9650-c56a10b9c3c6, InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket
│
│ with aws_cloudtrail.cloudtrail,
│ on main.tf line 84, in resource "aws_cloudtrail" "cloudtrail":
│ 84: resource "aws_cloudtrail" "cloudtrail" {
我始终收到错误:InsufficientS3BucketPolicyException:检测到存储桶的 S3 存储桶策略不正确。关于可能缺少的内容或如何纠正存储桶策略有什么建议吗?
我已经解决了问题:
"aws:SourceArn": "arn:aws:cloudtrail:eu-west-1:${var.account.id}:trail/${var.organization_name}-organizational-Trail"
由于某种原因,我必须手动输入 ARN,因为我使用时 CloudTrail 的 ARN 没有传递到策略:
"AWS:SourceArn": "${aws_cloudtrail.cloudtrail.arn}/${aws_cloudtrail.cloudtrail.name}"