Why did the AWS Config auto remediation action for the SSM document AWS-ConfigureS3BucketLogging fail with the error "(MalformedXML)" when calling the PutBucketLogging API?

2 minute read
0

I want to troubleshoot the errors that I get when I set up auto remediation for non-compliant Amazon Simple Storage Service (Amazon S3) resources.

Short description

Using auto remediation to address non-compliant Amazon S3 buckets can generate errors. The following types of errors may occur when you use the AWS SSM Automation document AWS-ConfigureS3BucketLogging with the AWS Config managed rule s3-bucket-logging-enabled:

  • AWS Config console error “Action execution failed (details)."
  • AWS Systems Manager console error "Step fails when it is Execute/Cancelling action. An error occurred (MalformedXML) when calling the PutBucketLogging operation: The XML you provided was not well-formed or did not validate against our published schema. Please refer to the Automation Service Troubleshooting Guide for more diagnosis details."
  • AWS CloudTrail event PutBucketLogging error "The XML you provided was not well-formed or did not validate against our published schema."

Remediation fails when an Amazon S3 bucket, configured as a target bucket to receive server access logging, does not allow the Log Delivery group write access.

Resolution

Grant the Amazon S3 Log Delivery group write access in the target bucket's access control list (ACL). See How do I set ACL bucket permissions? for more information.


Related information

How do I enable server access logging for an S3 bucket?

How can I be notified when an AWS resource is non-compliant using AWS Config?

How can I troubleshoot AWS Config console error messages?

AWS OFFICIAL
AWS OFFICIALUpdated 4 years ago