Security: cloudtrail fails if using LogFilePrefix parameter with ExternalTrailBucket
Devansh3790 opened this issue · comments
TemplateID: security/cloudtrail
Region: us-east-1
I have an existing ExternalTrailBucket
bucket. That bucket already linked with another trail when i provided LogFilePrefix
as blank it is working fine but when provided any LogFilePrefix
value it starts failing with the following error:
Incorrect S3 bucket policy is detected for bucket: test-bucket-trail (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientS3BucketPolicyException; Request ID: b0bc984f-0eac-42b1-84db-b0a9e27b25a7)
How does the bucket policy of your bucket look like?
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket-name>/AWSLogs/522373407640/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Thanks for the response and that is the bucket policy.
Did you replace <bucket-name>
with your bucket's name?
Did you replace
<bucket-name>
with your bucket's name?
Yes
Ah, found it. You need to allow CloudTrail to write objects with the prefix. For example, with the following bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
shouldn't you better use arn:aws:s3:::<bucket-name>/<your-prefix>/AWSLogs/<account-id>/*
?