Varun Kumar
Reputation: 3
Unable to create bucket policy for cross account write of logs in S3
I am trying to write logs from Cloudwatch log streams to a cross account S3 bucket. While creating bucket policy in account B, am getting the following error.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutBucketAcl",
"s3:PutObject",
"s3:getobject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ayush-test-b3245-4676/*",
"Principal": {
"AWS": "arn:aws:iam::45097+@#%^*#:role/service-role/s3-bucket-lambda-role-uz281"
}
}
]
}
Please help me resolve this issue, I want to add a Lambda role to write these logs.
Upvotes: 0
Views: 48
Answers (1)
stijndepestel
Reputation: 3564
There is already an answer in the comment, but I'll provide some more explanation.
In the resource section, you need to have a resource that corresponds to each of the actions you've put in the Action array. In this case, PutBucketAcl needs a bucket resource, while in your example, you only have a resource that corresponds to objects inside the bucket.
Also, please double-check the spelling of s3:getobject which should be s3:GetObject.
Upvotes: 1
Related Questions
- AWS Lambda : Cross account Policy for Lambda function S3 to S3 copy
- Can't add multiple bucket policies to S3 bucket
- Why is my S3 bucket policy denying cross account access?
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- IAM bucket policy to allow cross-account Lambda function to write to S3
- AWS Lambda put data to cross account s3 bucket
- AWS S3 Bucket Policy throws Access Denied Error
- Cross account role granting S3 bucket access - Permission Denied
- AWS S3: Setting a bucket policy for multiple users in an account
- S3 Bucket Policy and IAM Role Conflicting