我正在尝试使用Go SDK创建云跟踪。通过遵循AWS文档,成功连接AWS而没有任何问题。
我按照以下步骤创建了一个跟踪
步骤1-创建S3存储桶,这样所有的跟踪日志文件都可以放在这个存储桶中。
CreateS3Bucket:代码
func CreateS3Bucket(bucketName string) error {
bucketName := "s3-bucket-123"
svc := s3.New(session.New(&aws.Config{Region: aws.String("us-east-1")}))
params := &s3.CreateBucketInput{
Bucket: aws.String(bucketName), // Required
}
resp, err1 := svc.CreateBucket(params)
if err1 != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
log.Errorf("S3 Bucket Creation Fails: %s", err1.Error())
errs := errors.New("500")
return errs
}
// Pretty-print the response data.
log.Infof("Bucket Successfully created: %s", resp)
return nil
}
成功响应:
{n Location: "/s3-bucket-123"n}"
步骤2-创建CloudTrail
CreateCloudTrail:代码
func (ref *AwsCloudTrail) CreateCloudTrail(bucketName, trailName string) error {
svc := cloudtrail.New(session.New(&aws.Config{Region: aws.String("us-east-1")}))
//bucketName is "s3-bucket-123" and trailName is cloudtrail123
params := &cloudtrail.CreateTrailInput{
Name: aws.String(trailName), // Required
S3BucketName: aws.String(bucketName), // Required
}
resp, errs := svc.CreateTrail(params)
if errs != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
log.Errorf("Error while creating trail %v",errs.Error())
err := errors.New("500")
return err
}
// Pretty-print the response data.
log.Infof("create trail response: %s",resp)
return nil
}
响应
"Error while creating trail InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: s3-bucket-123ntstatus code: 400, request id: 203d63d6-51ea-11e6-bb2c-b5d25b86e418"
谁能告诉我哪里做错了吗。创建Trail 时,我需要指定什么S3策略
非常感谢任何帮助/建议
参考:https://docs.aws.amazon.com/sdk-for-go/api/service/cloudtrail/#CloudTrail.CreateTrail
https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#S3.CreateBucket
您的Cloud Trail应该为S3 bucket设置此策略。按照本指南,步骤中有不同的选项。
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myBucketName"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
确保添加已接受答案中提到的策略后,存储桶的name、prefix和accountID与此处指定的值匹配:
"Resource": "arn:aws:s3:::myBucketName/<prefix>/AWSLogs/myAccountID/*"
还要确保存在"*"后缀。
错误的配置会导致同样的错误。