amazon-web-services - Cloudformation 创建私有(private) S3 存储桶失败并显示 : InvalidBucketAclWithObjectOwnership

Question

我已经使用以下 AWS Cloudformation 模板创建私有(private) S3 存储桶(用于存储 ALB 日志)至少两年了，但它现在停止工作(2023 年 4 月)。这是我现在得到的错误:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID:

这是云信息模板:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket to store ALB logs

Resources:
  ALBLogsBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Sub "pierre-alb-logs-${AWS::AccountId}"
      AccessControl: LogDeliveryWrite
      LifecycleConfiguration:
        Rules:
          - Id: ExpireLogs
            ExpirationInDays: 365
            Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

我知道 AWS 更改了与公共(public)存储桶相关的内容(它们很糟糕)。现在，我们在创建公共(public)存储桶时必须非常明确。但这是一个私有(private)桶。我搜索了“神奇配置”来解决问题，但没有骰子...有人知道我的 Cloudformation 模板出了什么问题吗？我应该删除什么，应该添加什么？

Answer 1

这个模板似乎有效:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket to store ALB logs

Resources:
  ALBLogsBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Sub "pierre-alb-logs-${AWS::AccountId}"
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      LifecycleConfiguration:
        Rules:
          - Id: ExpireLogs
            ExpirationInDays: 365
            Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

变化:

1. 我删除了:AccessControl:LogDeliveryWrite
2. 我添加了(这可能不需要，但我添加它是为了明确):

OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced