When defining the bucket ARN, it is easy to copy/paste it out of the AWS Console with a trailing slash included:
arn:aws:s3:::aws-cloudtrail-logs/AWSLogs/999999999999/
This results in the aws_cloudtrail Terraform module using the provided ARN and appending an additional trailing slash:
` + resources = [
Which in turn results in malformed policy values captured in the lacework_iam_role, S3 Permissions:
GetObject
ObjectPath | string like | AWSLogs/999999999999//*, BucketName | string like | aws-cloudtrail-logs-999999999999-0abe6e44
Note the double-slash as part of the generated policy value.
This malformed policy value results in a permissions issue error in the Lacework UI, CloudTrail Settings integration section (as per attached screenshot).
When defining the bucket ARN, it is easy to copy/paste it out of the AWS Console with a trailing slash included:
arn:aws:s3:::aws-cloudtrail-logs/AWSLogs/999999999999/
This results in the
aws_cloudtrail
Terraform module using the provided ARN and appending an additional trailing slash: ` + resources = [Which in turn results in malformed policy values captured in the
lacework_iam_role
, S3 Permissions:Note the double-slash as part of the generated policy value.
This malformed policy value results in a permissions issue error in the Lacework UI, CloudTrail Settings integration section (as per attached screenshot).