0

I am creating a cloudformation stack where the templates creates Cloud trail and then S3 bucket and pushes all logs to S3 bucket.

I have tried creating Cloud trail,s3 bucket and tried attaching the s3 Bucket Policy to the bucket

Parameters:
    loggroupname: 
      Type: String
    trailname:
      Type: String
    s3bucketname:
      Type: String
Resources:
    createloggroup:
      Type: AWS::Logs::LogGroup
      Properties:
        LogGroupName: !Sub ${loggroupname}
    creates3bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: !Sub ${s3bucketname}
    s3bucketpolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Sub ${s3bucketname}
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Sid: 'AWSCloudTrailAclCheck20150319'
              Effect: 'Allow'
              Principal: 
                  Service: 'cloudtrail.amazonaws.com'
              Action: 's3:GetBucketAcl'
              Resource: 
                !Sub 'arn:aws:s3:::${s3bucketname}'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Sid: AWSCloudTrailWrite20150319
              Effect: 'Allow'
              Principal: 
                  Service: 'cloudtrail.amazonaws.com'
              Action: 's3:PutObject'
              Resource: 
                !Sub 'arn:aws:s3:::${s3bucketname}/AWSLogs/${AWS::AccountId}/*'
              Condition:
                StringsEquals: 
                    s3:x-amz-acl: 'bucket-owner-full-control'
    myvpctrail:
      DependsOn:
        - s3bucketpolicy
      Type: AWS::CloudTrail::Trail
      Properties:
        IsLogging: true
        IsMultiRegionTrail: true
        IncludeGlobalServiceEvents: true
        S3BucketName: !Ref creates3bucket

Invalid Condition type : StringsEquals (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: F7439B111E82A3FA; S3 Extended Request ID: IGU1L7BB77WcrhPtmydd5j6viQdMK0vqA3Qo4RTS209FAvjT3q6wBIsyabdt5B7pBFvdr2MT+sM=)

maestro
  • 1
  • 5

1 Answers1

2

Simple typo.

It's StringEquals not StringsEquals.

Source: https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html

Metaljerk
  • 11
  • 2