0

First off, full disclosure, my experience with AWS is currently limited really to EC2.

I am trying to get logs for my Elastic Load Balancer (ALB), and I am trying to enable access logs to an S3 bucket.

I have tried several different configurations for the bucket policies. The one that I have currently is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "elasticloadbalancing.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::buzzauths3bucket/*",
                "arn:aws:s3:::buzzauths3bucket"
            ]
        }
    ]
}

I also turned off "Block all public access" in the bucket

But when I go to enable the access logs, I get the following error:

Access Denied for bucket: buzzauths3bucket. Please check S3bucket permission

Access Denied for bucket: buzzauths3bucket. Please check S3bucket permission

I have looked at the IAM roles and the ELB is using a service linked role. Now, this is the default role. It also does not have any s3 permissions. However, I cannot edit the permissions and apparently there is no way to add a new role. When I tried creating a new role, I couldn't add those permissions.

I am at a loss here. Please help.

P.S. Ultimately, I am trying to diagnose a 502 error and am out of things to look at so these logs are my only hope right now.

Any advice would be appreciated.

Thanks!

Improve this question
1

1 Answer 1

Reset to default
0

The main issue seems to be that you're using the wrong principal.

The correct principal depends on your region, but will either be "logdelivery.elasticloadbalancing.amazonaws.com" or "arn:aws:iam::<elb-account-id>:root" (where <elb-account-id> will also depend on your specific region). Everything you need to know is here.

Also note that you only need to allow s3:PutObject, so you don't need the bucket level ARN, and your object ARN can be scoped down a bit (e.g. arn:aws:s3:::amzn-s3-demo-logging-bucket/<optional-logging-prefix>/AWSLogs/<your-account-id>/*).

One last thing to check is that your bucket uses SSE-S3 (AWS S3-managed keys).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.