amazon-web-services - 如何修复 AWS Config 生成 AccessDenied 错误？

Question

我正在尝试允许 AWS Config 写入非公共(public) S3 存储桶。

基于 the official documentation ，我应该有两个策略分配给 AWS 角色。但是，不能向服务相关角色添加任何策略，也不能为 AWS config 创建自定义的新服务相关角色。


因此，如何在不公开存储桶的情况下停止接收 S3 AccessDenied 错误？

编辑:这是错误日志:

{
"eventVersion": "1.07",
"userIdentity": {
    "type": "AssumedRole",
    "principalId": "xxxxxxxxxxxxxxxxxxxxx:AWSConfig-BucketConfigCheck",
    "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/AWSServiceRoleForConfig/AWSConfig-BucketConfigCheck",
    "accountId": "xxxxxxxxxxxx",
    "accessKeyId": "xxxxxxxxxxxxxxxxxxxx",
    "sessionContext": {
        "sessionIssuer": {
            "type": "Role",
            "principalId": "xxxxxxxxxxxxxxxxxxxxx",
            "arn": "arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
            "accountId": "xxxxxxxxxxxx",
            "userName": "AWSServiceRoleForConfig"
        },
        "attributes": {
            "creationDate": "2020-04-30T00:43:57Z",
            "mfaAuthenticated": "false"
        }
    },
    "invokedBy": "AWS Internal"
},
"eventTime": "2020-04-30T00:43:57Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutObject",
"awsRegion": "eu-west-1",
"sourceIPAddress": "xxx.xxx.xxx.xxx",
"userAgent": "[AWSConfig]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
    "bucketName": "aws-config-bucket-xxxxxxxxxxxx",
    "Host": "aws-config-bucket-xxxxxxxxxxxx.s3.eu-west-1.amazonaws.com",
    "x-amz-acl": "bucket-owner-full-control",
    "x-amz-server-side-encryption": "AES256",
    "key": "AWSLogs/xxxxxxxxxxxx/Config/ConfigWritabilityCheckFile"
},
"responseElements": null,
"additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-SHA",
    "bytesTransferredIn": 0,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
    "bytesTransferredOut": 243
},
"requestID": "xxxxxxxxxxxxxxxx",
"eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"readOnly": false,
"resources": [
    {
        "type": "AWS::S3::Object",
        "ARN": "arn:aws:s3:::aws-config-bucket-xxxxxxxxxxxx/AWSLogs/xxxxxxxxxxxx/Config/ConfigWritabilityCheckFile"
    },
    {
        "accountId": "xxxxxxxxxxxx",
        "type": "AWS::S3::Bucket",
        "ARN": "arn:aws:s3:::aws-config-bucket-xxxxxxxxxxxx"
    }
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "xxxxxxxxxxxx",
"vpcEndpointId": "vpce-xxxxxxxx",
"eventCategory": "Data"

}

Answer 1

我在这里找到了答案:https://forums.aws.amazon.com/thread.jspa?threadID=314156

When AWS Config sends configuration information to an Amazon S3 bucket in another account, it first attempts to use the IAM role, but this attempt fails if the access policy for the bucket does not grant WRITE access to the IAM role. In this event, AWS Config sends the information again, this time as the AWS Config service principal.

我检查了我的日志，并且有一个 AWS Config 服务主体日志，与 AccessDenied 相同的秒数被接受。因此，可以安全地忽略该错误。我更新了我的 Cloudwatch 警报以忽略它:

{($.errorCode="*UnauthorizedOperation") || (($.errorCode="AccessDenied*") && (($.userIdentity.type!="AssumedRole") || ($.userAgent!="[AWSConfig]")))}