AWS CloudTrail Create API for Go SDK 引发错误消息“InsufficientS3BucketPolicyException:检测到存储桶的 S3 存储桶策略不正确:
Posted
技术标签:
【中文标题】AWS CloudTrail Create API for Go SDK 引发错误消息“InsufficientS3BucketPolicyException:检测到存储桶的 S3 存储桶策略不正确:”【英文标题】:AWS CloudTrail Create API for Go SDK throwing error mesage "InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: " 【发布时间】:2016-11-28 04:34:33 【问题描述】:我正在尝试使用 Go SDK 创建一个 cloudtrail。按照 AWS 文档成功连接 AWS 没有任何问题。
我按照以下步骤创建跟踪
Step1 - 创建 S3 存储桶,以便所有跟踪日志文件都可以放在此存储桶中。
CreateS3Bucket:代码
func CreateS3Bucket(bucketName string) error
bucketName := "s3-bucket-123"
svc := s3.New(session.New(&aws.ConfigRegion: aws.String("us-east-1")))
params := &s3.CreateBucketInput
Bucket: aws.String(bucketName), // Required
resp, err1 := svc.CreateBucket(params)
if err1 != nil
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
log.Errorf("S3 Bucket Creation Fails: %s", err1.Error())
errs := errors.New("500")
return errs
// Pretty-print the response data.
log.Infof("Bucket Successfully created: %s", resp)
return nil
成功响应:
\n Location: \"/s3-bucket-123\"\n"
第 2 步 - 创建 CloudTrail
CreateCloudTrail: 代码
func (ref *AwsCloudTrail) CreateCloudTrail(bucketName, trailName string) error
svc := cloudtrail.New(session.New(&aws.ConfigRegion: aws.String("us-east-1")))
//bucketName is "s3-bucket-123" and trailName is cloudtrail123
params := &cloudtrail.CreateTrailInput
Name: aws.String(trailName), // Required
S3BucketName: aws.String(bucketName), // Required
resp, errs := svc.CreateTrail(params)
if errs != nil
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
log.Errorf("Error while creating trail %v",errs.Error())
err := errors.New("500")
return err
// Pretty-print the response data.
log.Infof("create trail response: %s",resp)
return nil
回应
"Error while creating trail InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: s3-bucket-123\n\tstatus code: 400, request id: 203d63d6-51ea-11e6-bb2c-b5d25b86e418"
谁能告诉我我哪里做错了。创建 Trail 时我需要指定什么 S3 策略
非常感谢任何帮助/建议
参考: https://docs.aws.amazon.com/sdk-for-go/api/service/cloudtrail/#CloudTrail.CreateTrail
https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#S3.CreateBucket
【问题讨论】:
【参考方案1】:您的 Cloud Trail 应该具有适用于 S3 存储桶的此政策。按照本指南,在该步骤中有不同的选项。
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
"Version": "2012-10-17",
"Statement": [
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal":
"Service": "cloudtrail.amazonaws.com"
,
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myBucketName"
,
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal":
"Service": "cloudtrail.amazonaws.com"
,
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
"Condition":
"StringEquals":
"s3:x-amz-acl": "bucket-owner-full-control"
]
【讨论】:
感谢您的回复。您提供的指南显示了要通过 AWS 控制台执行的步骤。我可以通过 aws-go-sdk 做类似的事情吗?我的意思是通过 Go-SDK 添加/指定 S3 存储桶策略 检查这个github.com/aws/aws-sdk-go/tree/master/service/iam有一个示例文件,您可以在其中附加不同的策略检查examples_test.go文件。 非常感谢,它对我有用,现在能够成功创建 Trail。【参考方案2】:确保在添加已接受答案中提到的策略后,您的存储桶的 name、prefix 和 accountID 与此处指定的值匹配:
"Resource": "arn:aws:s3:::myBucketName/<prefix>/AWSLogs/myAccountID/*"
还要确保 "*" 后缀存在。
错误的配置会导致同样的错误。
【讨论】:
以上是关于AWS CloudTrail Create API for Go SDK 引发错误消息“InsufficientS3BucketPolicyException:检测到存储桶的 S3 存储桶策略不正确:的主要内容,如果未能解决你的问题,请参考以下文章
AWS学习笔记--启用CloudTrail记录AWS 账户操作日志