Hey All
Good afternoon.
I’m trying to implement CFT to create s3 bucket that store NLB access logs. I’m getting permission denied while trying to attach my bucket to NLB
Policy statement looks like this.
{
“PolicyDocument”: {
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: [
“http://elasticloadbalancing.amazonaws.com|elasticloadbalancing.amazonaws.com”,
“http://delivery.logs.amazonaws.com|delivery.logs.amazonaws.com”
]
},
“Action”: [
“s3:PutObject”
],
“Resource”: [
“arn:aws:s3:::${S3BucketForNLBLogs}/"
],
“Condition”: {
“StringEquals”: {
“s3:x-amz-acl”: “bucket-owner-full-control”
}
}
},
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::elb-account-id:root”
},
“Action”: “s3:PutObject”,
“Resource”: [
"arn:aws:s3:::${S3BucketForNLBLogs}/”
]
},
{
“Effect”: “Deny”,
“Principal”: “",
“Action”: "s3:”,
“Resource”: [
“arn:aws:s3:::${S3BucketForNLBLogs}”,
“arn:aws:s3:::${S3BucketForNLBLogs}/*”
],
“Condition”: {
“Bool”: {
“aws:SecureTransport”: “false”
}
}
}
]
}
}
This may be of some help → <Access logs for your Network Load Balancer - Elastic Load Balancing requirements>
I’m following the same documentation as well. But policy not working in my account
I’m getting access denied and cloudtrail doesn’t show why though
"Version": "2012-10-17",
"Id": "AWSLogDeliveryWrite",
"Statement": [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
}
}
}
]
}```"aws:SourceAccount": ["0123456789"]
in that policy 0123456789 is my account number or something from this list??
BucketPrincipal: '127311923021'
us-east-2:
BucketPrincipal: '033677994240'
us-west-1:
BucketPrincipal: '027434742980'
us-west-2:
BucketPrincipal: '797873946194'
ca-central-1:
BucketPrincipal: '985666609251'
eu-central-1:
BucketPrincipal: '054676820928'
eu-west-1:
BucketPrincipal: '156460612806'
eu-west-2:
BucketPrincipal: '652711504416'
eu-west-3:
BucketPrincipal: '009996457667'
eu-north-1:
BucketPrincipal: '897822967062'
ap-east-1:
BucketPrincipal: '754344448648'
ap-northeast-1:
BucketPrincipal: '582318560864'
ap-northeast-2:
BucketPrincipal: '600734575887'
ap-northeast-3:
BucketPrincipal: '383597477331'
ap-southeast-1:
BucketPrincipal: '114774131450'
ap-southeast-2:
BucketPrincipal: '783225319266'
ap-south-1:
BucketPrincipal: '718504428378'
sa-east-1:
BucketPrincipal: '507241528517'
us-gov-west-1:
BucketPrincipal: '048591011584'
us-gov-east-1:
BucketPrincipal: '190560391635'
cn-north-1:
BucketPrincipal: '638102146993'
cn-northwest-1:
BucketPrincipal: '037604701340'```in that policy
0123456789is my account number or something from this list??
As per AWS documentation →aws:SourceAccount, specify the list of account numbers for which logs are being delivered to this bucket.
So to me, this is your AWS Account number
Also, the document says,
aws:SourceArn, specify the list of ARNs of the resource that generates the logs
For this, I think it has to be NLB ARN
