Security: cloudtrail fails if using LogFilePrefix parameter with ExternalTrailBucket

Question

Security: cloudtrail fails if using LogFilePrefix parameter with ExternalTrailBucket

Devansh3790 opened this issue 4 years ago · comments

TemplateID: security/cloudtrail
Region: us-east-1

I have an existing ExternalTrailBucket bucket. That bucket already linked with another trail when i provided LogFilePrefix as blank it is working fine but when provided any LogFilePrefix value it starts failing with the following error:

Incorrect S3 bucket policy is detected for bucket: test-bucket-trail (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException; Request ID: b0bc984f-0eac-42b1-84db-b0a9e27b25a7)

Andreas Wittig · Answer 1 · Sat May 16 2020 19:51:02 GMT+0800 (China Standard Time)

How does the bucket policy of your bucket look like?

Devansh Kumar · Answer 2 · Sun May 24 2020 04:53:21 GMT+0800 (China Standard Time)

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket-name>/AWSLogs/522373407640/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}


Thanks for the response and that is the bucket policy.

Andreas Wittig · Answer 3 · Mon May 25 2020 17:06:15 GMT+0800 (China Standard Time)

Did you replace <bucket-name> with your bucket's name?

Devansh Kumar · Answer 4 · Tue May 26 2020 11:25:41 GMT+0800 (China Standard Time)

Did you replace <bucket-name> with your bucket's name?

Yes

Andreas Wittig · Answer 5 · Thu May 28 2020 20:37:57 GMT+0800 (China Standard Time)

Ah, found it. You need to allow CloudTrail to write objects with the prefix. For example, with the following bucket policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket-name>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

Michael Wittig · Answer 6 · Thu May 28 2020 21:46:14 GMT+0800 (China Standard Time)

shouldn't you better use arn:aws:s3:::<bucket-name>/<your-prefix>/AWSLogs/<account-id>/* ?