Incorrect policy detected in S3 bucket in CloudFormation

0 votes

I have issues implementing CloudTrail via Cloudformation, with a Incorrect S3 bucket policy is detected for bucket error being thrown when I try to launch the model.

Here is the configuration from the BucketPolicy:

"LogBucketPolicy": {
        "Type": "AWS::S3::BucketPolicy",
        "Properties": {
            "Bucket": {
                "Ref": "LogBucket"
            },
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "AWSCloudTrailAclCheck",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:GetBucketAcl",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    }
                                ]
                            ]
                        }
                    },
                    {
                        "Sid": "AWSCloudTrailWrite",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "s3:PutObject",
                        "Resource": {
                            "Fn::Join": [
                                "",
                                [
                                    "arn:aws:s3:::",
                                    {
                                        "Ref": "LogBucket"
                                    },
                                    "/AWSLogs/139339407673/*"
                                ]
                            ]
                        },
                        "Condition": {
                            "StringEquals": {
                                "s3:x-amz-acl": "bucket-owner-full-control"
                            }
                        }
                    }
                ]
            }
        }
    }

I have copied the template from AWS examples, but let me know if I did a mistake in the implementation.

Edit: The error is not thrown by the bucket policy, but by CloudTrail. Here is the configuration of the bucket:

"Trail": {
        "Type": "AWS::CloudTrail::Trail",
        "Properties": {
            "SnsTopicName": {
                "Fn::GetAtt": [
                    "Topic",
                    "TopicName"
                ]
            },
            "IsLogging": true,
            "S3BucketName": {
                "Ref": "LogBucket"
            }
        },
        "DependsOn": [
            "LogBucket"
        ]
    }
}
Sep 5, 2018 in AWS by bug_seeker
• 15,350 points
251 views

1 answer to this question.

0 votes

I modified your code and it seems to be working for me. Can you try this?

{
  "Parameters": {
    "LogBucket": {
      "Description": "Name Bucket.",
      "Type": "String"
    }
  },
  "Resources": {
    "LogBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
                "Ref": "LogBucket"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    }
                  ]
                ]
              }
            },
            {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "LogBucket"
                    },
                    "/AWSLogs/139339407673/*"
                  ]
                ]
              },
              "Condition": {
                "StringEquals": {
                  "s3:x-amz-acl": "bucket-owner-full-control"
                }
              }
            }
          ]
        }
      }
    }
  }
}
answered Sep 5, 2018 by Priyaj
• 56,520 points

Related Questions In AWS

0 votes
2 answers

How to access files in S3 bucket from R?

You can take a look at the ...READ MORE

answered Aug 10, 2018 in AWS by Deepthi
• 300 points
940 views
0 votes
1 answer

How to download the latest file in a S3 bucket using AWS CLI?

You can use the below command $ aws ...READ MORE

answered Sep 6, 2018 in AWS by Archana
• 4,090 points
3,649 views
+1 vote
1 answer

Llimit to number of objects in a S3 bucket

If you are referring to the number of objects ...READ MORE

answered Oct 12, 2018 in AWS by Archana
• 4,090 points
27 views
0 votes
1 answer

How to appoint a sub-domain in a S3 bucket?

You need to rename your bucket to ...READ MORE

answered Oct 12, 2018 in AWS by Archana
• 4,090 points
38 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 56,520 points
224 views
0 votes
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 56,520 points
436 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,560 points
295 views
0 votes
2 answers
0 votes
1 answer

Copying existing files in a s3 Bucket to another s3 bucket

Suppose the two buckets in question are ...READ MORE

answered Sep 14, 2018 in AWS by Priyaj
• 56,520 points
68 views
0 votes
1 answer