Threat Stack Configuration Auditing has several rules that evaluate properties of the S3 bucket that stores CloudTrail Logs. The Resource Type displays as "CloudTrail Bucket Logging," "CloudTrail Bucket Policy" or "CloudTrail Bucket ACL."
If the Threat Stack Configuration Auditing engine does not have permissions to get data on that bucket, AWS returns an error that reads "no S3 bucket for trail with ARN..." and Threat Stack displays that in the user interface.
How this rule type works
To evaluate this resource type, the Configuration Auditing engine does the following:
- Look up the properties on the CloudTrail
- Obtain the ARN of the bucket that stores the logs.
- Review the properties of that bucket.
While reviewing the bucket properties, if AWS returns a "no bucket found" error to Threat Stack, it means that our 3rd party cross-account role does not have permissions to list details for that bucket.
To resolve the error
1. Confirm the 3rd party cross account role for Threat Stack has the following permissions, including:
2. Check the policy and the ACL on the bucket itself. Often these permissions get set to an individual bucket, this overrides the global setting and removes Threat Stacks' ability to read those details.