F5 Distributed Cloud App Infrastructure Protection (AIP) Configuration Auditing has several rules that evaluate properties of the S3 bucket that stores CloudTrail Logs. The Resource Type displays as "CloudTrail Bucket Logging," "CloudTrail Bucket Policy" or "CloudTrail Bucket ACL."
If the Distributed Cloud AIP Configuration Auditing engine does not have permissions to get data on that bucket, AWS returns an error that reads "no S3 bucket for trail with ARN..." and Distributed Cloud AIP displays that in the user interface.
How this rule type works
To evaluate this resource type, the Configuration Auditing engine does the following:
- Look up the properties on the CloudTrail
- Obtain the ARN of the bucket that stores the logs.
- Review the properties of that bucket.
While reviewing the bucket properties, if AWS returns a "no bucket found" error to Distributed Cloud AIP, it means that our 3rd party cross-account role does not have permissions to list details for that bucket.
To resolve the error
- Confirm the 3rd party cross account role for Distributed Cloud AIP has the following permissions, including:
- Check the policy and the ACL on the bucket itself. Often these permissions get set to an individual bucket, this overrides the global setting and removes Distributed Cloud AIP's ability to read those details.