Why did the AWS Config auto remediation action for the SSM document AWS-ConfigureS3BucketLogging fail with the error "(MalformedXML)" when calling the PutBucketLogging API?

Last updated: 2020-09-01

I followed the instructions to set up auto remediation for non-compliant Amazon Simple Storage Service (Amazon S3) resources.

For example, I used the AWS SSM Automation document AWS-ConfigureS3BucketLogging with the AWS Config managed rule s3-bucket-logging-enabled to auto remediate non-compliant Amazon S3 buckets.

However, the remediation action fails with an error similar to the following:

  • AWS Config console error “Action execution failed (details)".
  • AWS Systems Manager console error "Step fails when it is Execute/Cancelling action. An error occurred (MalformedXML) when calling the PutBucketLogging operation: The XML you provided was not well-formed or did not validate against our published schema. Please refer to Automation Service Troubleshooting Guide for more diagnosis details."
  • AWS CloudTrail event PutBucketLogging error "The XML you provided was not well-formed or did not validate against our published schema".  

Short description

An Amazon S3 bucket configured as a target bucket to receive server access logging must allow the Log Delivery group write permission, or the remediation action fails.

Resolution

Grant the Amazon S3 Log Delivery group write access in the target bucket's access control list (ACL). For more information, see How do I set ACL bucket permissions?