DataDog CloudTrail 集成缺少 ListObject 权限

huangapple go评论64阅读模式
英文:

DataDog CloudTrail integration missing ListObject permission

问题

我今天在我的AWS账户上安装了DataDog AWS CloudTrail集成(它会创建一个CloudFormation堆栈,并创建一个Lambda,用于将S3中的CloudTrails日志转发到您的DataDog帐户,除其他内容)。

在安装集成后,我在DataDog配置屏幕上看到了一个错误:

<MY_AWS_ACCOUNT_ID>

management-events - aws-cloudtrail-logs-<redacted>-<redacted>

在调用ListObjects操作时发生错误(拒绝访问):拒绝访问

有人知道我需要授予DataDog创建的IAM角色(作为此CF堆栈的一部分)哪些IAM权限,以便它可以执行ListObjects吗?我猜这与S3相关的权限?

我看到DataDog堆栈还为我创建了一个名为datadogintegration-forwarderstack-forwarderbucket-<redacted>的S3存储桶,它的当前存储桶策略如下:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-<redacted>",
                "arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-<redacted>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

但我不确定我是否需要更改此策略或IAM权限,或者需要进行其他更改。

有人能找出我做错了什么吗?

英文:

I installed the DataDog AWS CloudTrail Integration on my AWS account today (it creates a CloudFormation stack and creates, amongst other things, a Lambda that forwards logs from your CloudTrails logs in S3 onto your DataDog account).

After installing the integration I am seeing an error in the DataDog configuration screen:

&lt;MY_AWS_ACCOUNT_ID&gt;

management-events - aws-cloudtrail-logs-&lt;redacted&gt;-&lt;redacted&gt;

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Does anybody have any idea what IAM Permissions I need to grant to the IAM Role that DataDog created (as part of this CF stack) so that it can ListObjects? I'm guessing this is an S3-related permission?

I see that the DataDog stack also created an S3 bucket for me called datadogintegration-forwarderstack-forwarderbucket-&lt;redacted&gt; and its current bucket policy is:

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Sid&quot;: &quot;AllowSSLRequestsOnly&quot;,
            &quot;Effect&quot;: &quot;Deny&quot;,
            &quot;Principal&quot;: &quot;*&quot;,
            &quot;Action&quot;: &quot;s3:*&quot;,
            &quot;Resource&quot;: [
                &quot;arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-&lt;redacted&gt;&quot;,
                &quot;arn:aws:s3:::datadogintegration-forwarderstack-forwarderbucket-&lt;redacted&gt;/*&quot;
            ],
            &quot;Condition&quot;: {
                &quot;Bool&quot;: {
                    &quot;aws:SecureTransport&quot;: &quot;false&quot;
                }
            }
        }
    ]
}

But I'm not sure if I need to make a change to this policy or an IAM permission or something else.

Can anyone spot where I'm going awry?

答案1

得分: 0

你需要为由Cfn创建的IAM角色分配适当的策略

流程如下:

  • 创建策略
  • 将其附加到您的角色

策略将如下所示,如果需要更多访问权限,请添加适当的权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>",
                "arn:aws:s3:::<bucketname>/*"
            ],
            "Effect": "Allow"
        }
    ]
}

附注:

您可以始终使用AWS策略模拟器检查对特定资源的角色或服务访问权限。

您也可以使用存储桶策略来执行此操作,但在我看来,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT-A:role/xxxx"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

在面对以下3种情况时,我会使用存储桶策略,尽管选择IAM策略或存储桶策略取决于您的偏好:

  • 如果您仅使用AWS服务S3,您可能会发现直接通过存储桶策略在S3内管理权限更容易。
  • 您可能希望使用存储桶策略来允许来自不同AWS帐户的访问。
  • 您可能需要使用存储桶策略来基于AWS IAM身份以外的某些因素允许对S3资源的访问。例如,您可以限制S3访问以仅允许特定IP地址的请求。您还可以限制对S3桶中媒体资产的访问,以仅允许特定引荐来源的请求,以便只允许您的网站显示图像和视频。

由于您现有的存储桶策略执行,请确保访问S3存储桶,否则您将无法访问。

英文:

You would need to assign Appropriate policy to IAM role create by Cfn

Flow would:

  • create policy
  • attach it to your role

The policy will be this, add appropriate permissions if you need more access.

{
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
    {
        &quot;Action&quot;: [
            &quot;s3:ListBucket&quot;,
            &quot;s3:GetObject&quot;,
            &quot;s3:GetObjectAcl&quot;
        ],
        &quot;Resource&quot;: [
             &quot;arn:aws:s3:::&lt;bucketname&gt;&quot;,
            &quot;arn:aws:s3:::&lt;bucketname&gt;/*&quot;
        ],
        &quot;Effect&quot;: &quot;Allow&quot;
    }
 ]
}

Side Note:

You can always check your access for role or service to particular resource by using AWS policy simulator

You can also do this using a bucket policy but in my opinion

{
        &quot;Version&quot;: &quot;2012-10-17&quot;,
        &quot;Statement&quot;: [
            {
                &quot;Effect&quot;: &quot;Allow&quot;,
                &quot;Principal&quot;: {
                    &quot;AWS&quot;: &quot;arn:aws:iam::ACCOUNT-A:role/xxxx&quot;
                },
                &quot;Action&quot;: [
                    &quot;s3:GetObject&quot;,
                    &quot;s3:PutObject&quot;
                ],
                &quot;Resource&quot;: [
                    &quot;arn:aws:s3:::bucket-name/*&quot;
                ]
            }
        ]
    }

I use bucket policy when I am about to face 3 situations like these, although it's your preference to choose IAM policy or bucket policy:

  • if the only AWS service you’re using is S3, you may find it easier to manage permissions directly within S3 via bucket policies
  • where you may want to use bucket policies is for allowing access from a different AWS account.
  • where you might need to use bucket policies is for when you want to allow access to S3 resources based on something other than AWS IAM identity. For example, you could limit S3 access to requests from particular IP addresses. You could also limit access to media assets in your S3 bucket to requests from a specific referrer so as to only allow your website to display images and video.

Since your existing bucket policy enforces make sure to access s3 bucket https otherwise you won't be able to access.

huangapple
  • 本文由 发表于 2023年3月1日 10:33:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75599082.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定