Configuration Audit Error "No S3 bucket for trail"

Follow

Error description

Threat Stack Configuration Auditing has several rules that evaluate properties of the S3 bucket that stores CloudTrail Logs. The Resource Type displays as "CloudTrail Bucket Logging," "CloudTrail Bucket Policy" or "CloudTrail Bucket ACL."

If the Threat Stack Configuration Auditing engine does not have permissions to get data on that bucket, AWS returns an error that reads "no S3 bucket for trail with ARN..." and Threat Stack displays that in the user interface.

How this rule type works

To evaluate this resource type, the Configuration Auditing engine does the following: 

  1. Look up the properties on the CloudTrail 
  2. Obtain the ARN of the bucket that stores the logs.
  3. Review the properties of that bucket.  

While reviewing the bucket properties, if AWS returns a "no bucket found" error to Threat Stack, it means that our 3rd party cross-account role does not have permissions to list details for that bucket. 

To resolve the error

1. Confirm the 3rd party cross account role for Threat Stack has the following permissions, including:

s3:GetBucketAcl
s3:GetBucketPolicy
s3:ListAllMyBuckets
s3:GetBucketLocation
s3:GetBucketLogging

2. Check the policy and the ACL on the bucket itself. Often these permissions get set to an individual bucket, this overrides the global setting and removes Threat Stacks' ability to read those details.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.