Open khushail opened 1 year ago
same here, with isOrganizationTrail: true
"GetBucketAcl" policy should have condition assessing for trail arn instead of s3:x-amz-acl
I believe 🤔 An example from the project I work on:
this.bucket.addToResourcePolicy(
new iam.PolicyStatement({
sid: "AWSCloudTrailAclCheck20150319",
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal("cloudtrail.amazonaws.com")],
actions: ["s3:GetBucketAcl"],
resources: <bucket arn>,
conditions: {
StringEquals: {
"AWS:SourceArn": <array of trail ARNs>,
},
},
})
);
Describe the bug
Setting up Cloudtrail with existing bucket and KMS gives an error "incorrect bucket policy"
Expected Behavior
it should succeed with access to bucket logs
Current Behavior
PythonCfnParameterStack: creating CloudFormation changeset... 11:14:13 AM | UPDATE_FAILED | AWS::CloudTrail::Trail | CloudTrailA62D711D Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Statu s Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
❌ PythonCfnParameterStack failed: Error: The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest) at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:443:10232) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:446:153546) at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:446:136809
❌ Deployment failed: Error: The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest) at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:443:10232) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:446:153546) at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:446:136809
The stack named PythonCfnParameterStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Incorrect S3 bucket policy is detected for bucket: mytestbucket1503 (Service: CloudTrail, Status Code: 400, Request ID: 808ae11e-fb26-42f6-8563-53ead2deb86e)" (RequestToken: 4beb64bc-05a4-bcac-0f7a-7775a622cea2, HandlerErrorCode: InvalidRequest)
Reproduction Steps
Code is provided in the ticket. Repro'd issue with adding the policy manually -
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.95.1
Framework Version
No response
Node.js Version
v18.12.1
OS
mac
Language
Python
Language Version
No response
Other information
No response