Home > Software engineering >  AWS Config bucket policy
AWS Config bucket policy

Time:11-14

I am trying to deploy a template through cloudformation. AWS Config with a s3 bucket but I am getting an incorrect policy, unable to write to bucket error.

does anyone know the proper template and code for this action I am trying to complete?

Please help

CodePudding user response:

Please attach your code, the policy you are trying to add and the error you recieve...

CodePudding user response:

here is my code, i am getting incorrect bucket policy cant write to bucket error

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Template for a startup company looking to move their services to the cloud", "Resources": { "ResumeConfigRecorder": { "Type": "AWS::Config::ConfigurationRecorder", "Properties": { "Name": "ResumeConfigRecorder", "RecordingGroup": { "AllSupported": true }, "RoleARN": "arn:aws:iam::451750859333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" } }, "ResumeConfigDeliveryChannel": { "Type": "AWS::Config::DeliveryChannel", "Properties": { "ConfigSnapshotDeliveryProperties": { "DeliveryFrequency": "Three_Hours" }, "Name": "ResumeConfigDeliveryChannel", "S3BucketName": "config-resumematch", "S3KmsKeyArn": { "Fn::GetAtt": [ "ConfigKey", "Arn" ] } } }, "ConfigBucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private", "BucketName": "config-resumematch", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "BucketKeyEnabled": true, "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Ref": "ConfigKey" }, "SSEAlgorithm": "aws:kms" } } ] }, "Tags": [ { "Key": "Name", "Value": "ConfigBucket" } ] } }, "ConfigBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "ConfigBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::config-resumematch", "Condition": { "StringEquals": { "AWS:SourceAccount": "451750859333" } } }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::config-resumematch", "Condition": { "StringEquals": { "AWS:SourceAccount": "451750859333" } } }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": [ "s3:PutObject*" ],
"Resource": "arn:aws:s3:::config-resumematch/AWSLogs/451750859333/Config/", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "AWS:SourceAccount": "451750859333" } } } ] } } }, "ConfigKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Key to encrypt config records in S3", "Enabled": true, "KeyPolicy": { "Version": "2012-10-17", "Id": "config-key-1", "Statement": [ { "Sid": "Enable IAM Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::451750859333:root" }, "Action": "kms:", "Resource": "" }, { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::451750859333:user/ecargle" }, "Action": [ "kms:Put", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Get*", "kms:Delete*" ], "Resource": "" }, { "Sid": "Allow config to use KMS key", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt*" ], "Resource": "*" } ] }, "KeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "Tags": [ { "Key": "Name", "Value": "ConfigKey" } ] } }, "ConfigKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/configKey", "TargetKeyId": { "Ref": "ConfigKey" } } }, "ResumeConfigRuleEC2": { "DependsOn" : "ResumeConfigRecorder", "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": "ResumeMatchConfigRuleEC2", "Description": "rule to monitor the configuration of AWS resources", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Volume" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "EC2_EBS_ENCRYPTION_BY_DEFAULT" } } }, "ResumeConfigRuleS3": { "DependsOn" : "ResumeConfigRecorder", "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": "ResumeMatchConfigRuleS3", "Description": "rule to monitor the configuration of AWS resources", "Scope": { "ComplianceResourceTypes": [ "AWS::S3::Bucket"

                ]
            },
            "Source": {
                "Owner": "AWS",
                "SourceIdentifier": "ELB_LOGGING_ENABLED"
            }
        }
    },
    "ResumeConfigRuleELB": {
        "DependsOn" : "ResumeConfigRecorder",
        "Type": "AWS::Config::ConfigRule",
        "Properties": {
            "ConfigRuleName": "ResumeMatchConfigRuleELB",
            "Description": "rule to monitor the configuration of AWS resources",
            "Scope": {
                "ComplianceResourceTypes": [
                    "AWS::ElasticLoadBalancingV2::LoadBalancer"
                ]
            },
            "Source": {
                "Owner": "AWS",
                "SourceIdentifier": "ELB_LOGGING_ENABLED"
            }
        }
    }
}

}

Page link:https//www.codepudding.com/Softwareengineering/609612.html

Prev:Retrieving sensitive data from secret version in terraform
Next:When I try to build for production this error comes up
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding