How to allow AWS Athena access to cloudfront standard logs in s3 bucket?
I am delivering Cloudfront standard logs into one s3 bucket.
The bucket is created via terragrunt/form
terraform {
source = "github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.15.0"
}
include "root" {
path = find_in_parent_folders()
expose = true
}
locals {
vars = include.root.locals.vars
app_name = basename(dirname(abspath(get_terragrunt_dir())))
bucket = "${include.root.locals.tags.Environment}-${local.app_name}-logs-${get_aws_account_id()}"
}
inputs = {
tags = include.root.locals.tags
bucket = local.bucket
acl = "log-delivery-write"
block_public_policy = true
control_object_ownership = true
object_ownership = "BucketOwnerPreferred"
attach_public_policy = false
attach_policy = true
policy = {
Statement = [
{
Sid = "ListObjectsInBucket"
Effect = "Allow"
Principal = {
Service = "athena.amazonaws.com"
}
Action = "s3:ListBucket"
Resource = "arn:aws:s3:::${local.bucket}"
},
{
Sid = "AllObjectsActions"
Effect = "Allow"
Principal = {
Service = "athena.amazonaws.com"
}
Action = "s3:*"
Resource = "arn:aws:s3:::${local.bucket}/*"
}
]
}
lifecycle_rule = [
{
id = "cloudfront-logs-expiration"
enabled = true
prefix = "" # Apply to all objects
tags = {} # Apply regardless of tags
expiration = {
days = 30
}
}
]
force_destroy = local.vars.env != "prod" ? true : false
}
The logs are delivered perfectly fine from cloudfront -> s3 above
I create the table in AWS ATHENA with this query: (of course using my s3 bucket)
CREATE EXTERNAL TABLE IF NOT EXISTS cloudfront_standard_logs (
`date` DATE,
time STRING,
x_edge_location STRING,
sc_bytes BIGINT,
c_ip STRING,
cs_method STRING,
cs_host STRING,
cs_uri_stem STRING,
sc_status INT,
cs_referrer STRING,
cs_user_agent STRING,
cs_uri_query STRING,
cs_cookie STRING,
x_edge_result_type STRING,
x_edge_request_id STRING,
x_host_header STRING,
cs_protocol STRING,
cs_bytes BIGINT,
time_taken FLOAT,
x_forwarded_for STRING,
ssl_protocol STRING,
ssl_cipher STRING,
x_edge_response_result_type STRING,
cs_protocol_version STRING,
fle_status STRING,
fle_encrypted_fields INT,
c_port INT,
time_to_first_byte FLOAT,
x_edge_detailed_result_type STRING,
sc_content_type STRING,
sc_content_len BIGINT,
sc_range_start BIGINT,
sc_range_end BIGINT
)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '\t'
LOCATION 's3://DOC-EXAMPLE-BUCKET/'
TBLPROPERTIES ( 'skip.header.line.count'='2' )
The above is documented here https://docs.aws.amazon.com/athena/latest/ug/cloudfront-logs.html also https://repost.aws/knowledge-center/analyze-logs-athena
So far, so good!!! the table is created.
The problem happens when I try to query data:
SELECT
sc_status,
COUNT(*) AS request_count
FROM
cloudfront_standard_logs
GROUP BY
sc_status
How can I allow AWS Athena to access this bucket and fix the error ? What changes should I make in my terragrunt code policy for it. I don't understand why the permissions I gave are not enough
The terragrunt/form policy above is converted and attached as this json to the bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Principal": {
"Service": "athena.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::secret"
},
{
"Sid": "AllObjectsActions",
"Effect": "Allow",
"Principal": {
"Service": "athena.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::secret*"
}
]
}
Solution
I fixed the issue but not 100% HOW and WHY
- I changed in my terragrunt code and removed
acl = "log-delivery-write" - I deleted this bucket
- I created it again with only step 1 changing!!!
MAGIC, now athena can access the files in my new bucket..
- AWS Lambda No module named 'regex._regex'
- Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
- How to reset EC2 ubuntu instance?
- How to zip files properly on mac for unzipping via python from s3?
- Issues generating CloudFront signed URLs; always Access Denied
- AWS EventBridge Pipeline - Self Managed Kafka filter not working
- aws lambda function triggering multiple times for a single event
- Trying to create AWS spot datafeed, getting error: InaccessibleStorageLocation
- Can't see my EC2 instances on the management console?
- React web app Auth UserPool not configured
- How to retrieve usage on Amazon S3 based on tag?
- AWS Amplify: How to delete the environment, when resources are already partially deleted?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- Terraform v0.11.1 : Error downloading modules: Error loading modules: open .terraform/modules/3f10921295c292995128e9e36eb: no such file or directory
- Ansible - include vars file from remote host
- How to change AWS Lamp apache root directory?
- AWS Codeartifact and Poetry auth problems with private packages
- S3 Intelligent - Tiering with snowflake managed iceberg tables
- InvalidClientTokenId error aws when trying to get caller identity
- AWS Route 53: cost of having a subdomain on another DNS provider than AWS
- Unable to connect from MySQL Workbench to AWS RDS instance
- Querying timestamp data in Athena when the timestamp format in the underlying JSON files has changed
- Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy
- During an aborted deployment, some instances may have deployed the new application version
- API Gateway V2 private integration to application load balancer always returns 503
- AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
- ELB to backend server using HTTPS with self-signed certificate
- How to pass different principals when deploying a bucket policy using terraform
- Clarification for AWS auto-scaling of instances
- Instances scaling (by ASG) but no new tasks being created