Has anyone encounted an access denied error for the cloudTrailLambda getting to the Transit VPC S3 bucket?
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Typically as long as the S3 bucket is created with the default settings and in the same region it will work. Maybe try launching it one more time using the same S3 Bucket. You need to have listbucket and getobject permissions set so if there was any deviation from the base permissions you could get an error.
I'm getting errors from the CloudTrail based bucket that is created, not the bootstrap bucket I created manually before. I've launched this many times and I continue to get the same permission error on that bucket.
Right now I am just trying to get it to work within the same account.
The CFNs are creating, these are just errors I see on the Lambda function afterwards.
I was actually able to get this working a few days ago when I deployed into my lab account as the root user. Worked in us-east-2 and us-east-1.
I am deploying to a customer account today again, and I get the same error message in S3. Created an IAM role to give the cloudTrailLambda function admin access (just for testing) and now the solution works.
I am still seeing another error message in the Cloudtrail logs for cloudTrailLambda, but once we gave it admin access the VPN tunnels to a test VPC were created and connected to the PANs.
The only difference between my lab and my customer's environment is I am deploying with my company's AWS account using an an assumed role that has admin access, and I used my root account for my lab.
Even though it is working with the modified Lambda role right now, we are going to attempt to re-deploy tomorrow under the customer's root account to see if that keeps these issues from occuring.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!