Reputation: 351
Incorrect S3 bucket policy is detected for bucket in CloudFormation
I have issues implementing CloudTrail via Cloudformation, with a Incorrect S3 bucket policy is detected for bucket error being thrown when I try to launch the model.
Here is the configuration from the BucketPolicy:
"LogBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "LogBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
}
]
]
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
},
"/AWSLogs/139339407673/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
}
I have copied the template from AWS examples, but let me know if I did a mistake in the implementation.
Edit: The error is not thrown by the bucket policy, but by CloudTrail. Here is the configuration of the bucket:
"Trail": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": true,
"S3BucketName": {
"Ref": "LogBucket"
}
},
"DependsOn": [
"LogBucket"
]
}
Upvotes: 9
Views: 10996
Answers (3)
Reputation: 22068
Beside the dependency issue mentioned in the accepted answer, the error can also comes from different cases of wrong configuration of the S3 policy.
For example, if we look at the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myBucketName"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Looking at the Resource block of the 2nd statement:
"Resource": "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/<account-id>/*"
Passing wrong values to the Resource block like bad prefix (my case) or forgetting the "*" postfix (like mentioned here in last scenario) can lead to the error.
(*) Example taken from here.
Upvotes: 0
Reputation: 351
As Krishna has mentioned, the error came from the fact that I didn't put the dependence of the BucketPolicy. When this was done, the stack was deployed with no issues.
Upvotes: 4
Reputation: 5887
I modified your code and it seems to be working for me. Can you try this?
{
"Parameters": {
"LogBucket": {
"Description": "Name Bucket.",
"Type": "String"
}
},
"Resources": {
"LogBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "LogBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
}
]
]
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LogBucket"
},
"/AWSLogs/139339407673/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
}
}
}
Upvotes: 0
Related Questions
- AWS Bucket Policy Failed to create - Policy has invalid resource
- AWS: How to update an existing S3 bucket-policy via CloudFormation?
- CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket
- My s3 bucket policy wouldn't apply to existing or newly created buckets
- CloudFormation S3 Bucket Policy invalid action error
- AWS Cloudformation Error: Policy has invalid resource
- Incorrect S3 bucket policy is detected for bucket at Cloud Trail
- InvalidCondition in s3 Bucket Policy
- How to change s3 bucket policies with cloudformation?
- Cloudformation Bucket Policy - "Statement is missing required element"