雑記帳
2016-01-07 (Thu) [長年日記]
■ [AWS] ap-northeast-2 リージョンのCloudTrailのログのPutを許可する
本日、ap-northeast-2リージョンが新しく利用可能になった。CloudTrailを有効にしようとしたらエラーになってしまった。
Incorrect S3 bucket policy is detected for bucket: iret.cloudtrail.logs (Aws::CloudTrail::Errors::InsufficientS3BucketPolicyException)
S3 Bucket Policyに、適切な権限の設定が必要だった。
CloudTrail Supported Regions を見ると、ap-northeast-2のAWS Account ID *1 が記載されている。Principalとして、下記のARNを指定する。
arn:aws:iam::492519147666:root
Policyは、以下のようになる。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::903692715234:root", "arn:aws:iam::035351147821:root", "arn:aws:iam::859597730677:root", "arn:aws:iam::814480443879:root", "arn:aws:iam::216624486486:root", "arn:aws:iam::086441151436:root", "arn:aws:iam::388731089494:root", "arn:aws:iam::284668455005:root", "arn:aws:iam::113285607260:root", "arn:aws:iam::492519147666:root" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::your-bucket-name" }, { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::903692715234:root", "arn:aws:iam::035351147821:root", "arn:aws:iam::859597730677:root", "arn:aws:iam::814480443879:root", "arn:aws:iam::216624486486:root", "arn:aws:iam::086441151436:root", "arn:aws:iam::388731089494:root", "arn:aws:iam::284668455005:root", "arn:aws:iam::113285607260:root", "arn:aws:iam::492519147666:root" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::your-bucket-name/AWSLogs/*/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ]
*1 AWS Account Numberでなかったっけ?