(aws-cloudtrail): setting up cloudtrail with exisiting Bucket and KMS produces error "Incorrect Bucket Policy" #27168
Labels
@aws-cdk/aws-cloudtrail
Related to AWS CloudTrail
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p2
Comments
khushail
added
bug
khushail
added
p2
effort/small
|
same here, with
|
|
"GetBucketAcl" policy should have condition assessing for trail arn instead of this.bucket.addToResourcePolicy(
new iam.PolicyStatement({
sid: "AWSCloudTrailAclCheck20150319",
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
actions: ["s3:GetBucketAcl"],
resources: <bucket arn>,
conditions: {
StringEquals: {
"AWS:SourceArn": <array of trail ARNs>,
},
},
})
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Setting up Cloudtrail with existing bucket and KMS gives an error "incorrect bucket policy"
Expected Behavior
it should succeed with access to bucket logs
Current Behavior
PythonCfnParameterStack: creating CloudFormation changeset...
11:14:13 AM | UPDATE_FAILED | AWS::CloudTrail::Trail | CloudTrailA62D711D
Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Statu
s Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
❌ PythonCfnParameterStack failed: Error: The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:443:10232)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:446:153546)
at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:446:136809
❌ Deployment failed: Error: The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:443:10232)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:446:153546)
at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:446:136809
The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
Reproduction Steps
Code is provided in the ticket. Repro'd issue with adding the policy manually -
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.95.1
Framework Version
No response
Node.js Version
v18.12.1
OS
mac
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: