- 最新
- 投票最多
- 评论最多
【以下的回答经过翻译处理】 你好,
根据返回的消息,可以看出Account B中附加到S3日志桶的S3存储桶策略不允许Account A中IAM Access Analyzer的Service-linked角色读取存储在S3日志桶中的日志文件。如果使用AWS KMS Key来加密Cloudtrail日志文件[详见附录链接1],附加的Key策略不允许Account A中的Service-linked角色解密加密的日志文件。
正如在此AWS链接[详见附录链接2]中所指出的,您需要确保Account B中的S3日志桶已经附加了以下存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyGenerationBucketPolicy",
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<Log_Bucket_name>",
"arn:aws:s3:::<Log_Bucket_name>/AWSLogs/organization-id/${aws:PrincipalAccount}/"
],
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
}
}
}
]
}
如果在将Cloudtrail日志文件存储到S3日志桶之前使用AWS KMS加密了Cloudtrail日志文件,则还需要更新附加的KMS Key策略,以允许Service-linked角色解密加密的日志文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": "kms:Decrypt",
"Resource": "",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN",
"aws:PrincipalOrgID": "organization-id"
},
"StringLike": {
"kms:ViaService": "s3..amazonaws.com",
"aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole"
}
}
}
]
}
此外,如果在账户B中对S3桶设置了ACLs来做访问控制,你会需要改变桶的Object Ownership设置。选择以下两个选项中的一个来设置Object Ownership:
- Bucket owner enforced(推荐)
- Bucket owner preferred
附录链接: [1] Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
[2] IAM Access Analyzer policy generation - Generate a policy using AWS CloudTrail data in another account - https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account
希望这能帮到你!
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 6 个月前
- AWS 官方已更新 2 年前