1

I have been working on setting up CloudTrail for an IAM user using Boto but I have run into an error:

An error occurred (InsufficientS3BucketPolicyException) when calling the CreateTrail operation: Incorrect S3 bucket policy is detected for bucket: goodbucket

I am not sure what's wrong here. Saving the CloudTrail log is not a priority but I will need ResourceID, to delete resource later on using Lambda functions.

    import boto3
    import sys
    import json
    import time 
    iam = boto3.client('iam')
    sts = boto3.client('sts')
    ec2 = boto3.resource('ec2')
    cloudtrail = boto3.client('cloudtrail')
    
    response = iam.create_user(
        UserName='GoodUser'
    )
    IDK = sts.get_caller_identity()
    print(IDK['UserId'])
    response = iam.create_group(
        GroupName='GoodGroup'
    )
    
    response = iam.add_user_to_group(
        GroupName='GoodGroup',
        UserName='GoodUser'
    )
    
    some_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "ec2:RunInstances",
                "Resource": [
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:instance/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:network-interface/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:key-pair/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:security-group/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:subnet/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:volume/*",
                    f"arn:aws:ec2:us-east-2:{IDK['Account']}:image/ami-0a91cd140a1fc148a"
                ],
                "Condition": {
                    "ForAllValues:NumericLessThanEquals": {
                        "ec2:VolumeSize": "10"
                    },
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": "t2.micro"
                    }
                }
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "ec2:TerminateInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": f"arn:aws:ec2:us-east-2:{IDK['Account']}:instance/*",
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": "t2.micro"
                    }
                }
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*",
                    "ec2:GetConsole*",
                    "cloudwatch:DescribeAlarms",
                    "iam:ListInstanceProfiles",
                    "cloudwatch:GetMetricStatistics",
                    "ec2:DescribeKeyPairs",
                    "ec2:CreateKeyPair"
                ],
                "Resource": "*",
                "Condition": {
                    "DateGreaterThan": {
                        "aws:CurrentTime": "2020-12-10T05:00:00Z"
                    },
                    "DateLessThanEquals": {
                        "aws:CurrentTime": "2020-12-10T05:35:00Z"
                    }
                }
            }
        ]
    } 
    response = iam.create_policy(
      PolicyName='GoodPolicy',
      PolicyDocument=json.dumps(some_policy)
    )
    print(response)
    
    IDK1 = iam.attach_group_policy(
        GroupName='GoodGroup',
        PolicyArn= f"arn:aws:iam::{IDK['Account']}:policy/GoodPolicy"
    )
    
    logs = cloudtrail.create_trail(
        Name='GoodTrail',
        S3BucketName='goodbucket',
    )
    print (logs)
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470

1 Answers1

1

You are configuring AWS CloudTrail to write log files to an Amazon S3 bucket. To do this, the S3 bucket requires a Bucket Policy that grants permission to the CloudTrail service to write to the bucket.

From Amazon S3 Bucket Policy for CloudTrail - AWS CloudTrail:

If you want to create or modify an Amazon S3 bucket to receive the log files for an organization trail, you must further modify the bucket policy.

To deliver log files to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket. CloudTrail automatically attaches the required permissions to a bucket when you create an Amazon S3 bucket as part of creating or updating a trail in the CloudTrail console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::myBucketName"
        },
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    This might not work because I am trying to create IAM identity-based policy and I cannot use the Principal element in an IAM identity-based policy –  Dec 17 '20 at 11:22
  • 1
    CloudTrail requires a bucket policy, not an IAM policy. Otherwise, it can't write the logs to the bucket. – John Rotenstein Dec 17 '20 at 11:33