InsufficientS3BucketPolicyFault when enabling AWS Redshift audit logging through Terraform

Question

Problem

I'm trying to enable audit logging on an AWS redshift cluster. I've been following the instructions provided by AWS here: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging

Current Configuration

I've defined the relevant IAM role as follows

resource "aws_iam_role" "example-role" {
  name = "example-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "redshift.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

}

And have granted the following IAM permissions to the example-role role:

{
            "Sid": "AllowAccessForAuditLogging",
            "Effect": "Allow",

            "Action": [
                "s3:PutObject",
                "s3:GetBucketAcl"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket",
                "arn:aws:s3:::example-bucket/*"
            ]
        },

The relevant portion of the redshift cluster configuration is as follows:

resource "aws_redshift_cluster" "example-cluster-name" {
  cluster_identifier = "example-cluster-name"
  ...

  # redshift audit logging to S3
  logging {
    enable        = true
    bucket_name   = "example-bucket-name"
  }

  master_username           = var.master_username
  iam_roles                 = [aws_iam_role.example-role.arn]
  ...

Error

terraform plan runs correctly, and produces the expected plan based on the above configuration. However, when running terraform apply the following error occurs:

Error: error enabling Redshift Cluster (example-cluster-name) logging: InsufficientS3BucketPolicyFault: Cannot read ACLs of bucket example-bucket-name. Please ensure that your IAM permissions are set up correctly.

note: i've replaced all resource identifiers with example-* resource names and identifiers.

Answer 1

@shimo's answer is correct. I just detail for someone like me

• Redshift has full access to S3. But you need add bucket policy too. ( S3's permission)

{
           "Sid": "Statement1",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::361669875840:user/logs"
           },
           "Action": [
               "s3:GetBucketAcl",
               "s3:PutObject"
           ],
           "Resource": [
               "arn:aws:s3:::<your-bucket>",
               "arn:aws:s3:::<your-bucket>/*"
           ]
       }
 
- `361669875840` is match with your region check [here][1]


 [1]: https://github.com/finos/compliant-financial-infrastructure/blob/main/aws/redshift/redshift_template_public.yml