jLl4PEsrWvzRveVfhAQuUpdate AWS S3 bucket policy for VPC Flow Logs
Update AWS S3 bucket policy for VPC Flow Logs
inputs
outputs
import boto3
import json
from botocore.exceptions import ClientError
creds = _get_creds(cred_label)['creds']
access_key = creds['username']
secret_key = creds['password']
def create_bucket_policy(bucket_name, account_number, regions):
"""
Create a bucket policy for the specified bucket, account number, and regions.
"""
policy_statements = [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": f"arn:aws:s3:::{bucket_name}",
"Condition": {"StringEquals": {"aws:SourceAccount": account_number}}
}
]
resource = f"arn:aws:s3:::{bucket_name}/AWSLogs/{account_number}/*"
for region in regions:
source_arn = f"arn:aws:logs:{region}:{account_number}:*"
policy_statements.append(
{
"Sid": f"AWSLogDeliveryWrite_{region}",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": resource,
"Condition": {
"StringEquals": {
"aws:SourceAccount": account_number,
"s3:x-amz-acl": "bucket-owner-full-control"
},
"ArnLike": {"aws:SourceArn": source_arn}
}
}
)
policy = {
"Version": "2012-10-17",
"Id": "AWSLogDeliveryWrite20150319",
"Statement": policy_statements
}
return policy
def update_s3_bucket_policy(s3_client, bucket_name, policy):
"""
Update the S3 bucket policy.
"""
try:
s3_client.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(policy)
)
print(f"Bucket policy updated for {bucket_name}.")
except ClientError as e:
print(f"Error updating bucket policy: {e}")
account_number = boto3.client('sts',aws_access_key_id=access_key,aws_secret_access_key=secret_key).get_caller_identity()['Account']
#bucket_name = 'your-bucket-name' # Replace with your S3 bucket name
#regions_for_bucket_policy = ['us-east-1', 'ap-south-1'] # List of regions
# This part will be used if the user has the same logging bucket for multiple regions for VPC Flow Logs
# Create S3 client
s3_client = boto3.client('s3',aws_access_key_id=access_key,aws_secret_access_key=secret_key)
# Create and update the bucket policy
policy = create_bucket_policy(bucket_name, account_number, regions_for_bucket_policy)
update_s3_bucket_policy(s3_client, bucket_name, policy)
s3_bucket_arn = f"arn:aws:s3:::{bucket_name}" #passed to downstream task
copied