- Newest
- Most votes
- Most comments
Hello.
I think that the IAM policy itself for the IAM user is the policy described in the document you checked, and there is no problem.
Maybe something went wrong and the bucket policy wasn't added to S3.
Are there any errors in the CloudTrail event history?
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
Try adding the settings to your S3 bucket policy as described in the documentation below.
https://repost.aws/knowledge-center/config-console-error
Check the Amazon S3 bucket policy, and then verify that it allows the config.amazonaws.com service to write into the target bucket. Then, review the IAM entity permission, and then use the AWS Config Full access policy. Finally, verify that the IAM entity has permissions to write to the s3:GetBucketAcl and s3:PutObject* buckets.
Why not try adding the bucket policy described in the document below yourself?
https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account
1**. AWS Config Full Access**
Ensure that the IAM user has full access to AWS Config. This can be done using the AWSConfigFullAccess managed policy or a custom policy with full permissions on the AWS Config service.
2. S3 Bucket Permissions
The IAM user needs to have permissions to create and modify the S3 bucket policy where AWS Config will store its logs. The policy should include actions like:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<Bucket-Name>",
"arn:aws:s3:::<Bucket-Name>/*"
]
}
3. IAM Permissions for Service-Linked Role
AWS Config needs to assume a service-linked role to perform its actions. The IAM user should have permissions to create and manage service-linked roles. The necessary IAM permissions might look like this:
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
}
4. Policy for AWS Config Service Role
AWS Config requires a service role with policies that allow it to deliver logs to the S3 bucket. If AWS doesn't automatically create the correct policy, you might need to manually attach the following policy to the service role:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<Bucket-Name>",
"arn:aws:s3:::<Bucket-Name>/*"
]
}
5. Enabling AWS Config After setting these permissions, the IAM user should be able to enable AWS Config without encountering errors related to insufficient permissions. Troubleshooting
If you still encounter errors:
**Check the S3 Bucket Policy: ** Ensure that the bucket policy allows the AWS Config service role to put objects into the bucket.
**Verify IAM Role: ** Make sure the service-linked role for AWS Config is correctly configured and associated with the necessary permissions.
S3 Bucket Name and Prefix: Confirm that the bucket name and any specified prefixes in the AWS Config settings are correct and properly configured.
Hello,
Please try this solution it will be helpful for you.
To enable AWS Config with the least privileges for an IAM user. To Follow the Below Steps.
1. Create a Custom IAM Policy
This policy grants the necessary permissions for enabling AWS Config, creating the required S3 bucket, and setting up the service-linked role. the IAM policy you need to create.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
}
]
}
2. Assign the Policy to the IAM User
- Go to the IAM console in AWS.
- Find and select the IAM user who needs to enable AWS Config.
- Under the Permissions tab, attach the custom policy you just created.
3. Enable AWS Config
- Now, log in with the IAM user and enable AWS Config.
- Go to the AWS Config console.
- Choose the necessary options (like regions, resources, and configuration recorder).
- When prompted to set up the S3 bucket, provide the name of the bucket or allow AWS Config to create one.
4. Verify S3 Bucket Policy
- If AWS Config creates the S3 bucket automatically, it should also automatically apply the necessary bucket policy. If it doesn't, you can manually apply a bucket policy like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Replace bucket name with your actual S3 bucket name.
https://repost.aws/knowledge-center/config-console-error
https://docs.aws.amazon.com/config/latest/developerguide/security_iam_id-based-policy-examples.html
Hi,
You have a full working example at https://github.com/hashicorp/terraform-provider-aws/issues/8655#issuecomment-816592661
Best,
Didier
Relevant content
- asked 2 years ago
- asked 2 years ago
So you can try to apply that IAM Policies to the new IAM user for AWS Config and use that user to change the AWS Config logs to the new bucket.
In my case: