CloudTrail creation on S3 gives insufficientS3BucketPolicyException Incorrect S3 bucket policy is detected for bucket.

0

I am trying to create CloudTrail for a S3 bucket which has KMS enabled with type as Customer Managed Key. But I am getting insufficientS3BucketPolicyException Incorrect S3 bucket policy is detected for bucket Bucket policy:

{
	"Version": "2012-10-17",
	"Id": "S3-Console-Auto-Gen-Policy-13213123",
	"Statement": [
		{
			"Sid": "S3PolicyStmt-DO-NOT-MODIFY-3123123123",
			"Effect": "Allow",
			"Principal": {
				"Service": "logging.s3.amazonaws.com"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "111222333"
				}
			}
		},
		{
			"Sid": "EnforceHTTPS",
			"Effect": "Deny",
			"Principal": {
				"AWS": "*"
			},
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::workday-adaptive-cp/*",
				"arn:aws:s3:::workday-adaptive-cp"
			],
			"Condition": {
				"Bool": {
					"aws:SecureTransport": "false"
				}
			}
		},
		{
			"Sid": "RequireKMSEncryption",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
			"Condition": {
				"StringNotEquals": {
					"s3:x-amz-server-side-encryption": "aws:kms"
				}
			}
		},
		{
			"Sid": "RequireSpecificKMSKey",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
			"Condition": {
				"StringNotLikeIfExists": {
					"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-2:111222333:key/3e-4507-9be4-edfdsafdf"
				}
			}
		},
		{
			"Sid": "DenySSE-S3",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
			"Condition": {
				"StringEquals": {
					"s3:x-amz-server-side-encryption": "AES256"
				}
			}
		},
		{
			"Sid": "AWSCloudTrailToWriteLogs",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": [
				"s3:GetBucketAcl",
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::workday-adaptive-cp",
				"arn:aws:s3:::workday-adaptive-cp/*"
			]
		},
		{
			"Sid": "AWSCloudTrailAclCheck20150319-c91c4293-9539-455b-8a7b-8107eb1c940f",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": "s3:GetBucketAcl",
			"Resource": "arn:aws:s3:::workday-adaptive-cp",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:cloudtrail:us-east-2:111222333:trail/CloudTrail_WorkdayAdaptiveCP_S3_Events"
				}
			}
		},
		{
			"Sid": "AWSCloudTrailWrite20150319-aee3ee70-cfsdfksnfklsdnfkcsfkn",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::workday-adaptive-cp/CloudTrail_S3_Events/AWSLogs/111222333/*",
			"Condition": {
				"StringEquals": {
					"AWS:SourceArn": "arn:aws:cloudtrail:us-east-2:111222333:trail/CloudTrail_WorkdayAdaptiveCP_S3_Events",
					"s3:x-amz-acl": "bucket-owner-full-control"
				}
			}
		}
	]
}

CMK KMS Bucket policy is:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111222333:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111222333:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111222333:root"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail Use of the Key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Encrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111222333:trail/*"
                }
            }
        }
    ]
}
  • Please accept the answer if it was useful for you

1 Answer
2
profile picture
EXPERT
answered 8 months ago
profile picture
EXPERT
reviewed 7 months ago
  • Thanks for sharing the references. I modified the bucket and kms policy based on the docs. And then tried creating the CloudTrail, still getting the same error as: InsufficientS3BucketPolicyException Incorrect S3 bucket policy is detected for bucket: workday-adaptive-cp

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions