[AWS] ap-northeast-2 リージョンのCloudTrailのログのPutを許可する

本日、ap-northeast-2リージョンが新しく利用可能になった。CloudTrailを有効にしようとしたらエラーになってしまった。

Incorrect S3 bucket policy is detected for bucket: iret.cloudtrail.logs (Aws::CloudTrail::Errors::InsufficientS3BucketPolicyException)

S3 Bucket Policyに、適切な権限の設定が必要だった。

CloudTrail Supported Regions を見ると、ap-northeast-2のAWS Account ID *1 が記載されている。Principalとして、下記のARNを指定する。

arn:aws:iam::492519147666:root

Policyは、以下のようになる。

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Principal": {
               "AWS": [
                   "arn:aws:iam::903692715234:root",
                   "arn:aws:iam::035351147821:root",
                   "arn:aws:iam::859597730677:root",
                   "arn:aws:iam::814480443879:root",
                   "arn:aws:iam::216624486486:root",
                   "arn:aws:iam::086441151436:root",
                   "arn:aws:iam::388731089494:root",
                   "arn:aws:iam::284668455005:root",
                   "arn:aws:iam::113285607260:root",
                   "arn:aws:iam::492519147666:root"
               ]
           },
           "Action": "s3:GetBucketAcl",
           "Resource": "arn:aws:s3:::your-bucket-name"
       },
       {
           "Effect": "Allow",
           "Principal": {
               "AWS": [
                   "arn:aws:iam::903692715234:root",
                   "arn:aws:iam::035351147821:root",
                   "arn:aws:iam::859597730677:root",
                   "arn:aws:iam::814480443879:root",
                   "arn:aws:iam::216624486486:root",
                   "arn:aws:iam::086441151436:root",
                   "arn:aws:iam::388731089494:root",
                   "arn:aws:iam::284668455005:root",
                   "arn:aws:iam::113285607260:root",
                   "arn:aws:iam::492519147666:root"
               ]
           },
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::your-bucket-name/AWSLogs/*/*",
           "Condition": {
               "StringEquals": {
                   "s3:x-amz-acl": "bucket-owner-full-control"
               }
           }
       }
   ]

*1 AWS Account Numberでなかったっけ？

元記事はこちら

「[AWS] ap-northeast-2 リージョンのCloudTrailのログのPutを許可する」