我们刚刚开始使用 Amazon Macie,在创建存储桶以将结果保留超过 90 天时遇到问题。
我们得到的错误是:
putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both.
我们使用 AWS SSO 连接到控制台,当我查看 IAM 策略配置时,我的用户拥有资源和操作的管理员权限。
S3存储桶策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*", …amazon-s3 amazon-web-services amazon-iam amazon-kms amazon-macie
我正在尝试将临时卷附加到我们在 Fargate 上运行的服务,以便它可以在将文件复制到 S3 之前生成一些文件。当我在没有卷信息的情况下启动服务时,CloudFormation 模板已成功创建,并且服务运行。
但是,当输入卷参数时,它会失败并出现以下错误:
模型验证失败(#/Volumes:预期类型:JSONArray,找到:JSONObject #/ContainerDefinitions/0/MountPoints:预期类型:JSONArray,找到:JSONObject #/ContainerDefinitions/0/PortMappings/0/ContainerPort:预期类型:Number,找到: 细绳)
这是模板:
Cluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Join ['-', [!Ref Env, !Ref ShortServiceName, cluster]]
TaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn: LogGroup
Properties:
Family: !Join ['-', [!Ref Env, !Ref ShortServiceName, 'taskdefinition']]
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: !Ref Cpu
Memory: !Ref Memory
Volumes:
Name: !Ref VolumeName
DockerVolumeConfiguration:
Autoprovision: True
Scope: Task
ExecutionRoleArn: !Ref ExecutionRole
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Join ['-', [!Ref Env, !Ref ShortServiceName]]
Image: !Ref Image
RepositoryCredentials:
CredentialsParameter: !Ref RepositoryCredentials …amazon-web-services aws-cloudformation docker-volume aws-fargate