- 最新
- 投票最多
- 评论最多
Thanks for bringing this issue to our attention. We apologize for any inconvenience this has caused. We can confirm that AWS Config is delivering recorded data to your configured S3 bucket correctly. The AccessDenied error logs for HeadBucket API calls you are seeing in CloudTrail is a side effect of a check we introduced last week. We are making a HeadBucket API call to check for the existence of the S3 bucket and determine the region in which the S3 bucket is located before delivering the data. This was added so that data can be delivered efficiently to S3 buckets located in regions different from where Config data was recorded. You can update your S3 bucket policy to include s3:ListBucket permissions for config.amazonaws.com to stop the AccessDenied events from getting logged in your CloudTrail logs.
Here is a sample S3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:ListBucket"
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}
[1] S3 Head Bucket API reference https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketHEAD.html
Thanks, been seeing this in my cloudtrail as well. There's a typo in the policy, add a comma after Action line:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3::: YOUR_BUCKET_NAME"
}
]
}
Hi,
I am getting this error in my Cloudtrail logs every few minutes. I have tried adding this policy to the S3 Bucket policy directly but doesn't seem to fix the issue.
This error triggers my unauthorized api call metric alarm
Any help would be appreciated.
Looking at my Source IP in the error it displays as "AWS Internal" which I cannot add as the service name and errors on saving.
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
