1

Thanks in advance!

I've been stuck on this all weekend.. I'm attempting to create a cloudtrail service in cloudformation but receive this error when ran - Incorrect S3 bucket policy is detected for bucket: s3bucket-xxxxxx

Here's my code; 

"s3bucket-xxxxxx": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
        "AccessControl": "Private",
        "VersioningConfiguration": {
            "Status": "Suspended"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"s3policytraillogs": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": {
            "Ref": "s3bucket-xxxxxx"
        },
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::s3bucket-xxxxxx"
                },
                {
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:PutObject",
                    "Resource":  "arn:aws:s3:::s3bucket-xxxxxx/AWSLogs/XXXXXXXX/*",
                    "Condition": {
                        "StringEquals": {
                            "s3:x-amz-acl": "bucket-owner-full-control"
                        }
                    }
                }
            ]
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
},
"trailtraillogs": {
    "Type": "AWS::CloudTrail::Trail",
    "Properties": {
        "IncludeGlobalServiceEvents": true,
        "IsLogging": "true",
        "S3BucketName": {
            "Ref": "s3bucket-xxxxxx"
        }
    },
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "id": "XXXX"
        }
    }
}
Joshua G. Edwards
  • 643
  • 6
  • 22
  • What is the intended purpose of `"VersioningConfiguration": { "Status": "Suspended" }`? It seems like it should be rather impossible to create a bucket with versioning suspended. – Michael - sqlbot May 15 '17 at 22:39
  • Hey Michael thanks for getting back to me, that's just something that cloudformer has generated, would that need to be a different value? – Joshua G. Edwards May 16 '17 at 07:54
  • I was only operating on intuition, there. Versioning on a bucket can only be suspended after it is first enabled -- I would think. But actually, the error is about the policy, so I may have misdirected you. I will examine the policy section more closely. – Michael - sqlbot May 16 '17 at 11:09
  • 1
    I wonder if you don't need something to construct your ARNs like `"Resource": [{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "s3bucket-xxxxxx" }, "/AWSLogs/XXXXXXXX/*" ]` in the second statement and something similar but without the final string in the first one. I'm afraid I really don't see the issue, otherwise. – Michael - sqlbot May 16 '17 at 11:16
  • ...Or a mismatch between the bucket prefix configured in CloudTrail and what the bucket policy allows, mentioned at http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html I'm not feeling very helpful at this point, but this page mentions that exact error message. Maybe you've already seen it, but you didn't mention it. – Michael - sqlbot May 16 '17 at 11:21
  • I added a depends on "DependsOn": "s3bucket-xxxxxx", and that seemed to get rid of the error! Now I have another error "s3policytraillogs Policy has invalid resource", any ideas on that one? – Joshua G. Edwards May 16 '17 at 13:26
  • 1
    Thanks for your help Michael! – Joshua G. Edwards May 16 '17 at 15:14

3 Answers3

2

To fix this the resource needed to be joined up to the bucket using a reference

                    "Resource": [{
                      "Fn::Join": [ "", [
                          "arn:aws:s3:::", {
                            "Ref": "s3traillogs"
                          }, "/AWSLogs/XXXXXXXXXXX/*"
                        ]
                      ]
                    }],
Joshua G. Edwards
  • 643
  • 6
  • 22
1

The mentioned error can also comes due to:

1 ) Dependency issues between the trail and the bucket.

This can be solved by referencing to the bucket from the trail:

   "DependsOn": [
        "TheLogBucket"
    ]

2 ) Bad configuration of the bucket policy.

For example, in the 2nd statement: "Resource":"arn:aws:s3:::myBucketName/<prefix>/AWSLogs/<account-id>/*"
passing wrong prefix, account Id or forgetting the "*" postfix.

3 ) Bad indentation or misplaced quotation marks in the YAML file.

(*) Issues of #1 and #2 also mentioned here.

(**) Please make sure you follow CloudTrail Trail Naming Requirements.

Rot-man
  • 18,045
  • 12
  • 118
  • 124
0

Based on the Resource Definition, probably the YAML would be as:

  EventBucketStorage:
    Type: "AWS::S3::Bucket"
    Properties:
      #AccessControl: PublicRead
      MetricsConfigurations:
        - Id: EventBucketStorageMetrics
      BucketName: !Sub "s3-event-step-bucket-storage-s"

  EventBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref EventBucketStorage
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - 
            Sid: "AWSCloudTrailAclCheck20150319"
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage              
          - 
            Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Ref EventBucketStorage
                - /*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

you can also check the link Start the execution of State Machine based on Amazon S3 Event

DHEERAJ
  • 571
  • 6
  • 9