- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Your policy looks fine. Are you using SSE-S3 keys? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#bucket-permissions-troubleshooting
If you receive an access denied error, the following are possible causes:
- The bucket uses an unsupported server-side encryption option. The bucket must use Amazon S3-managed keys (SSE-S3).
Hi Steve thank for your reply. UK time here (now Sunday morning) so apologies for the slow response. Yes it appears so. The bucket properties have "Server-side encryption with Amazon S3 managed keys (SSE-S3)" selected. Any other thoughts?
"Resource": "arn:aws:s3:::myfirstbucket/prefix/AWSLogs/1111111111/*"
Is there actually a folder called prefix in the top-level of the bucket? Or is that just a generic term in-place of the "real" folder name?
Sorry no there isn't it pasted from the original docs and forgot to change in my original message. That being said I've tried both with a prefix and without. I've also tried creating the prefix folder first in the bucket even though docs say you don't need too. Also as a test I created a file call mylog.txt and put it in folder called elb so the real S3 URI is now s3://myfirstbucket/elb/mylog.txt and if I click the View button in the Access Logs section I can see it fine. So it's there and I appear to have permission to view it. But still get the same "Access Denied for bucket: myfirstbucket. Please check S3bucket permission".
Note it's not actually called myfirstbucket but I wasn't sure if giving the real name here was a security risk as they appear to have to be globally unique not just AWS account unique.Any other thoughts Steve?
Sorry no :-( I've done this before myself and it "just worked" by following the steps in the link in your original question (or, as it was a few years ago, whatever the official AWS advice was at the time).
Could the account be part of an AWS Organisation that is using Service Control Policies to enforce any kind of strict bucket policy that ALB might fall foul of? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_s3.html
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 4 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
Hi, I got the same issue and just figured out the solution today.
Do you use any encryption policy for your bucket? You can try:
Turns out my encryption policy doesn't allow uploading any unencrypted files to S3 so it also blocks the access logs.
Hope this helps!