Getting "permission denied" while attaching bucket to NLB in CFT?

Hey All
Good afternoon.

I’m trying to implement CFT to create s3 bucket that store NLB access logs. I’m getting permission denied while trying to attach my bucket to NLB

Policy statement looks like this.

{
“PolicyDocument”: {
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: [
http://elasticloadbalancing.amazonaws.com|elasticloadbalancing.amazonaws.com”,
http://delivery.logs.amazonaws.com|delivery.logs.amazonaws.com
]
},
“Action”: [
“s3:PutObject”
],
“Resource”: [
“arn:aws:s3:::${S3BucketForNLBLogs}/"
],
“Condition”: {
“StringEquals”: {
“s3:x-amz-acl”: “bucket-owner-full-control”
}
}
},
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::elb-account-id:root”
},
“Action”: “s3:PutObject”,
“Resource”: [
"arn:aws:s3:::${S3BucketForNLBLogs}/

]
},
{
“Effect”: “Deny”,
“Principal”: “",
“Action”: "s3:
”,
“Resource”: [
“arn:aws:s3:::${S3BucketForNLBLogs}”,
“arn:aws:s3:::${S3BucketForNLBLogs}/*”
],
“Condition”: {
“Bool”: {
“aws:SecureTransport”: “false”
}
}
}
]
}
}

This may be of some help → <https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html#access-logging-bucket-requirements|Bucket requirements>

I’m following the same documentation as well. But policy not working in my account

I’m getting access denied and cloudtrail doesn’t show why though

    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
                },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition": {
                "StringEquals": {
                "aws:SourceAccount": ["0123456789"]
                },
                "ArnLike": {
                "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": ["0123456789"]
                },
                "ArnLike": {
                    "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
                }
            }
        }
    ]
}```

"aws:SourceAccount": ["0123456789"]

in that policy 0123456789 is my account number or something from this list??

      BucketPrincipal: '127311923021'
    us-east-2:
      BucketPrincipal: '033677994240'
    us-west-1:
      BucketPrincipal: '027434742980'
    us-west-2:
      BucketPrincipal: '797873946194'
    ca-central-1:
      BucketPrincipal: '985666609251'
    eu-central-1:
      BucketPrincipal: '054676820928'
    eu-west-1:
      BucketPrincipal: '156460612806'
    eu-west-2:
      BucketPrincipal: '652711504416'
    eu-west-3:
      BucketPrincipal: '009996457667'
    eu-north-1:
      BucketPrincipal: '897822967062'
    ap-east-1:
      BucketPrincipal: '754344448648'
    ap-northeast-1:
      BucketPrincipal: '582318560864'
    ap-northeast-2:
      BucketPrincipal: '600734575887'
    ap-northeast-3:
      BucketPrincipal: '383597477331'
    ap-southeast-1:
      BucketPrincipal: '114774131450'
    ap-southeast-2:
      BucketPrincipal: '783225319266'
    ap-south-1:
      BucketPrincipal: '718504428378'
    sa-east-1:
      BucketPrincipal: '507241528517'
    us-gov-west-1:
      BucketPrincipal: '048591011584'
    us-gov-east-1:
      BucketPrincipal: '190560391635'
    cn-north-1:
      BucketPrincipal: '638102146993'
    cn-northwest-1:
      BucketPrincipal: '037604701340'```

in that policy 0123456789 is my account number or something from this list??
As per AWS documentation → aws:SourceAccount, specify the list of account numbers for which logs are being delivered to this bucket.

So to me, this is your AWS Account number

Also, the document says,
aws:SourceArn, specify the list of ARNs of the resource that generates the logs

For this, I think it has to be NLB ARN