我正在尝试在我的主账户中配置 AWS 组织跟踪,但由于存储桶策略错误而失败。详细信息:我正在关注的指南在这里:https ://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-an-organizational-trail-by-using-the-aws- cli.html
CLI 是具有 S3FullControl 和 CloudTrailFullControl 用于测试目的的 IAM 用户。使用这个简单的命令创建跟踪:
aws cloudtrail create-trail --name inna-org-trail --s3-bucket-name bucket-inna-org1 --is-organization-trail --is-multi-region-trail
我收到此错误: 调用 CreateTrail 操作时发生错误 (InsufficientS3BucketPolicyException):检测到存储桶的 S3 存储桶策略不正确: bucket-inna-org1
我试图向用户添加权限,但它没有改变任何东西。
存储桶策略是标准的 AWS 教科书内容,并在下面列出。谁能告诉我这里缺少什么?
{ "版本": "2012-10-17",
"Statement": [ { "Sid": "AWSCloudTrailAclCheck20201", "Effect": "Allow", "Principal": "Service": "cloudtrail.amazonaws.com", "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::bucket-inna-org1"
}, { "Sid": "AWSCloudTrailWrite20152", "Effect": "Allow", "Principal": "Service": "cloudtrail.amazonaws.com", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::bucket-inna-org1/master/AWSLogs/464372413802/*", "arn:aws:s3:::bucket-inna-org1/AWSLogs/273925183535/*", "arn:aws:s3:::bucket-inna-org1/AWSLogs/375700267666/*", "arn:aws:s3:::bucket-inna-org1/AWSLogs/769509352908/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Sid": "AWSCloudTrailWrite20173", "Effect": "Allow", "Principal": "Service": "cloudtrail.amazonaws.com", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-inna-org1/AWSLogs/o-eadh1jbx7l/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
任何建议/方向将不胜感激。谢谢!