我正在尝试获取所有 S3 存储桶数据的云跟踪,但它不断抛出错误。模板如下所示:
DataTrail:
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudtrailLogGroupARN
CloudWatchLogsRoleArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailLogsRoleARN
EnableLogFileValidation: true
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- 'arn:aws:s3:::*'
- IncludeManagementEvents: false
- ReadWriteType: All
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
KMSKeyId:
Fn::ImportValue:
!Sub ${EnvironmentName}-InvoicegenKey-CMK-Arn
S3BucketName:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailBucket-Name
AWS Doku 说它一定是一个字符串列表,所以我做到了:
Values:
- 'arn:aws:s3:::*'
但它一直在失败...
提前怜悯
一个
最后,这很容易;我刚刚通过控制台创建了一个跟踪,然后使用aws cloudtrail get-event-selectors --trail-name <name>来获取结果。然后将其传输到我的模板,如下所示:
DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3
是的,虽然非常接近,但正确的缩进应该是
cloudtrail:
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: Yes
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::s3-event-step-bucket/
IncludeManagementEvents: Yes
ReadWriteType: All
IncludeGlobalServiceEvents: Yes
IsLogging: Yes
IsMultiRegionTrail: Yes
S3BucketName: s3-event-step-bucket-storage
TrailName: xyz