Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudtrail with sendToCloudWatchLogs: true, InvalidCloudWatchLogsLogGroupArnException #1963

Closed
RobinsonAndrew opened this issue Mar 6, 2019 · 1 comment · Fixed by #1966
Closed

Cloudtrail with sendToCloudWatchLogs: true, InvalidCloudWatchLogsLogGroupArnException #1963

RobinsonAndrew opened this issue Mar 6, 2019 · 1 comment · Fixed by #1966
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.

Comments

@RobinsonAndrew
Copy link
Contributor

I am trying to create a cloudtrail that pushes logs to cloudwatch but on deployment I am getting the error Access denied. Check the permissions for your role. (Service: AWSCloudTrail; Status Code: 400; Error Code: InvalidCloudWatchLogsLogGroupArnException; Request ID: 377ff359-5952-4225-a446-571c606292c8).

Steps to reproduce:

  1. Create project with cdk init
  2. Import @aws-cdk/aws-cloudtrail
  3. Add to stack constructor:
new cloudtrail.CloudTrail(this, "MyCloudTrail", {
    sendToCloudWatchLogs: true,
}
  1. npm run build
  2. npm run deploy

Results in error:

 6/8 | 10:48:23 | CREATE_FAILED        | AWS::CloudTrail::Trail | MyCloudTrail (MyCloudTrail76780474) Access denied. Check the permissions for your role. (Service: AWSCloudTrail; Status Code: 400; Error Code: InvalidCloudWatchLogsLogGroupArnException; Request ID: 377ff359-5952-4225-a446-571c606292c8)
	new CloudTrail (/Users/andrew/dev/cdk-test/src/node_modules/@aws-cdk/aws-cloudtrail/lib/index.ts:167:19)
	\_ new SrcStack (/Users/andrew/dev/cdk-test/src/lib/src-stack.ts:7:5)
	\_ Object.<anonymous> (/Users/andrew/dev/cdk-test/src/bin/src.ts:7:1)
	\_ Module._compile (module.js:653:30)
	\_ Object.Module._extensions..js (module.js:664:10)
	\_ Module.load (module.js:566:32)
	\_ tryModuleLoad (module.js:506:12)
	\_ Function.Module._load (module.js:498:3)
	\_ Function.Module.runMain (module.js:694:10)
	\_ startup (bootstrap_node.js:204:16)
	\_ bootstrap_node.js:625:3

The log group in question seems to have been created correctly:

 1/8 | 10:47:56 | CREATE_COMPLETE      | AWS::Logs::LogGroup    | MyCloudTrail/LogGroup (MyCloudTrailLogGroup980930D1)

Code:

import cdk = require('@aws-cdk/cdk');
import * as cloudtrail from "@aws-cdk/aws-cloudtrail";

export class SrcStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    new cloudtrail.CloudTrail(this, "MyCloudTrail", {
      sendToCloudWatchLogs: true,
    });
  }
}

YAML:

Resources:
  MyCloudTrailS31252D2B6:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/S3/Resource
  MyCloudTrailS3Policy4C0ED7AB:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: MyCloudTrailS31252D2B6
      PolicyDocument:
        Statement:
          - Action: s3:GetBucketAcl
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::GetAtt:
                - MyCloudTrailS31252D2B6
                - Arn
          - Action: s3:PutObject
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::Join:
                - ""
                - - Fn::GetAtt:
                      - MyCloudTrailS31252D2B6
                      - Arn
                  - /AWSLogs/
                  - Ref: AWS::AccountId
                  - /*
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/S3/Policy/Resource
  MyCloudTrailLogGroup980930D1:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 365
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/LogGroup
  MyCloudTrailLogsRole6AAFFA43:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/LogsRole/Resource
  MyCloudTrailLogsRoleDefaultPolicy5F726F5E:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:PutLogEvents
              - logs:CreateLogStream
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - Fn::GetAtt:
                      - MyCloudTrailLogsRole6AAFFA43
                      - Arn
                  - :log-stream:*
        Version: "2012-10-17"
      PolicyName: MyCloudTrailLogsRoleDefaultPolicy5F726F5E
      Roles:
        - Ref: MyCloudTrailLogsRole6AAFFA43
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/LogsRole/DefaultPolicy/Resource
  MyCloudTrail76780474:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName:
        Ref: MyCloudTrailS31252D2B6
      CloudWatchLogsLogGroupArn:
        Fn::GetAtt:
          - MyCloudTrailLogGroup980930D1
          - Arn
      CloudWatchLogsRoleArn:
        Fn::GetAtt:
          - MyCloudTrailLogsRole6AAFFA43
          - Arn
      EnableLogFileValidation: true
      EventSelectors: []
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
    DependsOn:
      - MyCloudTrailS3Policy4C0ED7AB
    Metadata:
      aws:cdk:path: SrcStack/MyCloudTrail/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=0.25.1,@aws-cdk/aws-cloudtrail=0.25.1,@aws-cdk/aws-cloudwatch=0.25.1,@aws-cdk/aws-codepipeline-api=0.25.1,@aws-cdk/aws-events=0.25.1,@aws-cdk/aws-iam=0.25.1,@aws-cdk/aws-kms=0.25.1,@aws-cdk/aws-logs=0.25.1,@aws-cdk/aws-s3=0.25.1,@aws-cdk/aws-s3-notifications=0.25.1,@aws-cdk/cdk=0.25.1,@aws-cdk/cx-api=0.25.1,jsii-runtime=node.js/v8.12.0
@RobinsonAndrew
Copy link
Contributor Author

Ok, I have figured out the bug. I will create a PR for the fix.

@RobinsonAndrew RobinsonAndrew mentioned this issue Mar 6, 2019
Merged
3 tasks
@sam-goodwin sam-goodwin added bug This issue is a bug. @aws-cdk/aws-cloudtrail Related to AWS CloudTrail labels Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-cloudtrail): correct created log policy when sendToCloudWatchLogs is true
2 participants
@RobinsonAndrew @sam-goodwin