I am trying to create CloudTrail for a S3 bucket which has KMS enabled with type as Customer Managed Key. But I am getting insufficientS3BucketPolicyException Incorrect S3 bucket policy is detected for bucket
Bucket policy:
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-13213123",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-3123123123",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111222333"
}
}
},
{
"Sid": "EnforceHTTPS",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::workday-adaptive-cp/*",
"arn:aws:s3:::workday-adaptive-cp"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "RequireKMSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "RequireSpecificKMSKey",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-2:111222333:key/3e-4507-9be4-edfdsafdf"
}
}
},
{
"Sid": "DenySSE-S3",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::workday-adaptive-cp/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "AWSCloudTrailToWriteLogs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::workday-adaptive-cp",
"arn:aws:s3:::workday-adaptive-cp/*"
]
},
{
"Sid": "AWSCloudTrailAclCheck20150319-c91c4293-9539-455b-8a7b-8107eb1c940f",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::workday-adaptive-cp",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudtrail:us-east-2:111222333:trail/CloudTrail_WorkdayAdaptiveCP_S3_Events"
}
}
},
{
"Sid": "AWSCloudTrailWrite20150319-aee3ee70-cfsdfksnfklsdnfkcsfkn",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::workday-adaptive-cp/CloudTrail_S3_Events/AWSLogs/111222333/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudtrail:us-east-2:111222333:trail/CloudTrail_WorkdayAdaptiveCP_S3_Events",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
CMK KMS Bucket policy is:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow CloudTrail Use of the Key",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Encrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111222333:trail/*"
}
}
}
]
}
AWS OFFICIALUpdated a year ago
Thanks for sharing the references. I modified the bucket and kms policy based on the docs. And then tried creating the CloudTrail, still getting the same error as: InsufficientS3BucketPolicyException Incorrect S3 bucket policy is detected for bucket: workday-adaptive-cp