I am trying to create 2 buckets with 2 different policies.
One bucket, VendorsWGLogs, will be the destination for log output.
The other bucket, VendorsWG, will give GetObject, PutObject, and DeleteObject access to a specified IAM group.
Here is what I have so far:
"Resources": {
"VendorsWGLogs": {
"Type": "AWS::S3::Bucket",
"Properties": {},
},
"LogsBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWGLogs"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance LogBucket permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:s3:::VendorsWG"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWGLogs" } , "/*" ]
]}
}
]
}
}
},
"VendorsWG": {
"Type": "AWS::S3::Bucket",
"Properties": {
"LoggingConfiguration": {
"DestinationBucketName": {"Ref" : "VendorsWGLogs"},
"LogFilePrefix": "testing-logs"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a1169860-d743-406e-a3e5-e12831826439"
},
}
},
"S3BP4TNQZ": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "VendorsWG"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WeatherGuidance Object permissions",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } , "/*" ]
]}
},
{
"Sid": "WeatherGuidance ListBucket",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::someUserGroup"
},
"Action": "s3:ListBucket",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "VendorsWG" } ]
]},
"Condition": {
"StringLike": {
"s3:prefix": "weatherguidance*"
}
}
}
]
}
}
}
}
When I try to create a stack, I get this error
Event Log output:
Type:
AWS::S3::Bucket
Logical ID:
VendorsWG
Status reason:
You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket
I thought that specifying the target bucket's policy's principal as VendorsWGLogs would fix this, and now I am out of ideas.
What am I doing wrong? What can I do to get logging enabled? Thanks
Needed to put this under the log bucket's properties
Properties: {
AccessControl: "LogDeliveryWrite"
}
I think your problem is two fold:
s3:ListBucket
in the actions therefore the contents of the bucket can not be readActions on s3 buckets are run at a bucket (VendorsWGLogs) and contents (VendorsWGLogs/*
) level and you therefore need to list both of them under resources. The resulting policy should read
"Resource": [ "arn:aws:s3:::VendorsWGLogs", "arn:aws:s3:::VendorsWGLogs/*" ]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With