Установите для политики S3 значение AWS Настройка службы - PullRequest
Новая
       36

Установите для политики S3 значение AWS Настройка службы

0 голосов
/ 27 апреля 2020

Я пытаюсь разрешить AWS Config писать в непубличную c S3 корзину.

На основании официальной документации , мне нужно назначить две политики AWS роль. Однако невозможно добавить какую-либо политику к роли, связанной со службой, а также создать настраиваемую новую роль, связанную со службой, для конфигурации AWS.

AWS Policy Как таковая Как я могу прекратить получать ошибку S3 AccessDenied, не делая ведро publi c?

edit: вот журнал ошибок: 

{
"eventVersion": "1.07",
"userIdentity": {
    "type": "AssumedRole",
    "principalId": "xxxxxxxxxxxxxxxxxxxxx:AWSConfig-BucketConfigCheck",
    "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/AWSServiceRoleForConfig/AWSConfig-BucketConfigCheck",
    "accountId": "xxxxxxxxxxxx",
    "accessKeyId": "xxxxxxxxxxxxxxxxxxxx",
    "sessionContext": {
        "sessionIssuer": {
            "type": "Role",
            "principalId": "xxxxxxxxxxxxxxxxxxxxx",
            "arn": "arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
            "accountId": "xxxxxxxxxxxx",
            "userName": "AWSServiceRoleForConfig"
        },
        "attributes": {
            "creationDate": "2020-04-30T00:43:57Z",
            "mfaAuthenticated": "false"
        }
    },
    "invokedBy": "AWS Internal"
},
"eventTime": "2020-04-30T00:43:57Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutObject",
"awsRegion": "eu-west-1",
"sourceIPAddress": "xxx.xxx.xxx.xxx",
"userAgent": "[AWSConfig]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
    "bucketName": "aws-config-bucket-xxxxxxxxxxxx",
    "Host": "aws-config-bucket-xxxxxxxxxxxx.s3.eu-west-1.amazonaws.com",
    "x-amz-acl": "bucket-owner-full-control",
    "x-amz-server-side-encryption": "AES256",
    "key": "AWSLogs/xxxxxxxxxxxx/Config/ConfigWritabilityCheckFile"
},
"responseElements": null,
"additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-SHA",
    "bytesTransferredIn": 0,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
    "bytesTransferredOut": 243
},
"requestID": "xxxxxxxxxxxxxxxx",
"eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"readOnly": false,
"resources": [
    {
        "type": "AWS::S3::Object",
        "ARN": "arn:aws:s3:::aws-config-bucket-xxxxxxxxxxxx/AWSLogs/xxxxxxxxxxxx/Config/ConfigWritabilityCheckFile"
    },
    {
        "accountId": "xxxxxxxxxxxx",
        "type": "AWS::S3::Bucket",
        "ARN": "arn:aws:s3:::aws-config-bucket-xxxxxxxxxxxx"
    }
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "xxxxxxxxxxxx",
"vpcEndpointId": "vpce-xxxxxxxx",
"eventCategory": "Data"

}

...