本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 审计账户中的 Amazon S3 存储桶策略
<a name="logging-s3-audit-bucket"></a>

在 AWS Control Tower 中，只有当请求来自您的组织或组织单位 (OU) 时，AWS服务才能访问您的资源。任何写入权限都必须满足一个 `aws:SourceOrgID` 条件。

您可以在 Amazon S3 存储桶策略的条件元素中使用 `aws:SourceOrgID` 条件键，并将其值设置为您的**组织 ID**。此条件可确保 CloudTrail 只有代表组织内的账户才能将日志写入您的 S3 存储桶；它可以防止组织外部的 CloudTrail 日志写入您的 AWS Control Tower S3 存储桶。

此策略不会影响您现有工作负载的功能。该策略如以下示例所示。

```
S3AuditBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3AuditBucket
      PolicyDocument:
        Version: 2012-10-17		 	 	 
        Statement:
          - Sid: AllowSSLRequestsOnly
            Effect: Deny
            Principal: '*'
            Action: s3:*
            Resource:
             - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
             - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/*"
            Condition:
              Bool:
                aws:SecureTransport: false
          - Sid: AWSBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource:
              - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
          - Sid: AWSConfigBucketExistenceCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
                - config.amazonaws.com
            Action: s3:ListBucket
            Resource:
              - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
          - Sid: AWSBucketDeliveryForConfig
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource:
              - Fn::Join:
                  - ""
                  -
                    - !Sub "arn:${AWS::Partition}:s3:::"
                    - !Ref "S3AuditBucket"
                    - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"
            {{Condition:
              StringEquals:
                aws:SourceOrgID: !Ref OrganizationId}}
          - Sid: AWSBucketDeliveryForOrganizationTrail
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !If [IsAccountLevelBucketPermissionRequiredForCloudTrail,
                [!Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${Namespace}/*", !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${OrganizationId}/*"],
                !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"]
            {{Condition:
              StringEquals:
            aws:SourceOrgID: !Ref OrganizationId}}
```

有关此条件键的更多信息，请参阅 IAM 文档和 IAM 博客文章，标题为 “*对访问您的资源的AWS服务使用可扩展的控制*”。