I tried to write Network Load Balancer access log to S3 bucket.
I am on us-west-2.
Based on https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
I tried to attach this policy to my S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::797873946194:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::hm-elastic-load-balancer-bucket/*"
}
]
}
However, I got error
ValidationError: Access Denied for bucket: hm-elastic-load-balancer-bucket. Please check S3bucket permission\n\tstatus code: 400, request id: 63a6f8d0-a2f0-45db-b61c-41b662894f6e
I found some conversations such as 1, 2 saying Network Load Balancer access log S3 bucket policy is very different with Classic Load Balancer.
What would be proper S3 bucket policy for Network Load Balancer access log? Thanks!
Based on the official docs, the required bucket permissions are described as follows:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
{
"Version": "2012-10-17",
"Id": "AWSLogDeliveryWrite",
"Statement": [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${BUCKET_NAME}",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["${AWS_ACCOUNT_ID}"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:*"]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${BUCKET_NAME}/AWSLogs/${NLB_AWS_ACCOUNT_ID}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": ["${AWS_ACCOUNT_ID}"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:*"]
}
}
}
]
}
Please ensure that you replace the ${placeholders}
with your own appropriate values.
There are some requirements that you have to follow:
AWSLogs
.