1

I have the following code which I'm trying to deploy to CloudFormation. For some reason, it insists that I'm missing a crucial element in my template.

I only started getting this error since I modified the bucket policy in the resource S3NotificationBucketPolicy.

Any insights will be great.

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
    "S3NotificationBucketPolicy": {
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "S3NotificationBucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Sid": "AWSCloudTrailAclCheck20150318",
                        "Action": "s3:GetBucketAcl",
                        "Effect": "Allow",
                        "Resource": {
                            "Fn::Join": ["",
                            ["arn:aws:s3:::",
                            {
                                "Ref": "S3NotificationBucket"
                            }]]
                        },
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        }
                    },
                    {
                        "Sid": "AWSCloudTrailWrite20150318",
                        "Action": "s3:PutObject",
                        "Effect": "Allow",
                        "Resource": {
                            "Fn::Join": ["",
                            ["arn:aws:s3:::",
                            {
                                "Ref": "S3NotificationBucket"
                            },
                            "/*"]]
                        },
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Condition": {
                            "StringEquals": {
                                "s3:x-amz-acl": "bucket-owner-full-control"
                            }
                        }
                    }]
                }]
            }
        }
    },
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Delete",
        "Properties": {

        }
    },
    "S3NotificationBucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Delete",
        "Properties": {

        }
    },
    "S3BucketPolicyForCloudTrail": {
        "DependsOn": "S3Bucket",
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "S3Bucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:GetBucketAcl",
                    "Resource": {
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        }]]
                    }
                },
                {
                    "Sid": "Permissions fot Cloudtrail",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Action": "s3:*",
                    "Resource": {
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        },
                        "/*"]]
                    }
                }]
            }
        }
    },
    "CloudTrailForS3": {
        "DependsOn": ["S3NotificationBucketPolicy",
        "S3BucketPolicyForCloudTrail"],
        "Type": "AWS::CloudTrail::Trail",
        "Properties": {
            "EventSelectors": [{
                "DataResources": [{
                    "Type": "AWS::S3::Object",
                    "Values": [{
                        "Fn::Join": ["",
                        ["arn:aws:s3:::",
                        {
                            "Ref": "S3Bucket"
                        },
                        "/*"]]
                    }]
                }],
                "ReadWriteType": "All",
                "IncludeManagementEvents": false
            }],
            "S3BucketName": {
                "Ref": "S3NotificationBucket"
            },
            "IsLogging": true,
            "IncludeGlobalServiceEvents": true
        }
    }
  }
}

And it fails with the following message, even though I have stated the required element.

Missing required field Effect (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: B44FBDB00CA6AFDD; S3 Extended Request ID: jglPqCY9LCEOvIz5v7d2vyFbeaaelNVgahs7nGtYg5NJR20FRfef4m0lgtzqZEMyltI7d9T1g4s=)`

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
M.Weissman
  • 13
  • 1
  • 4

1 Answers1

1

Your problem is that the S3NotificationBucketPolicy Policy Document has an extra Version and Statement:

"S3NotificationBucketPolicy": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": {
            "Ref": "S3NotificationBucket"
        },
        "PolicyDocument": {
            "Version": "2012-10-17",      <-- Here
            "Statement": [{
                "Version": "2012-10-17",  <-- And here
                "Statement": [{
                    "Sid": "AWSCloudTrailAclCheck20150318",

Remove one of them (and the matching closing brackets) and you'll be fine.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470