Storing Application Load Balancer access logs in a KMS-encrypted S3 bucket

Question

I was recently working on enabling Access Logs for my app's Application Load Balancer, and wanted to store those logs in an encrypted S3 bucket. It's trivial to do this using S3's own managed encryption, but I can't figure out how to get it working using KMS-managed encryption. I continue to get "Access Denied for bucket: (bucket). Please check S3bucket permission" in the ALB Edit Load Balancer Attributes page.  
  
I think that I need to grant the ELB service access to the KMS key so it can encrypt the log files before storing them in the bucket. I've tried modifying the Key policy to allow this but my attempts have been fruitless so far.  
  
Has anyone else managed to get this working, or does anyone know if is it supported?  
  
Edited by: cmeinschein on Feb 27, 2019 11:13 AM

Answer

Hi,  
  
storing ALB access logs in a S3 bucket with SSE-KMS encryption enabled is still not supported.   
  
To encrypt your access logs, you can enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3):   
  
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Answer

Same probleme here.   
The CloudTrail event generated:

```
{
            "eventVersion": "1.05",
            "userIdentity": {
                "type": "AWSAccount",
                "principalId": "AIDAIC3Q6OY7XTEX2MMHK",
                "accountId": "156460612806"
            },
            "eventTime": "2019-05-13T08:33:37Z",
            "eventSource": "s3.amazonaws.com",
            "eventName": "PutObject",
            "awsRegion": "eu-west-1",
            "sourceIPAddress": "AWS Internal",
            "userAgent": "[aws-internal/3 aws-sdk-java/1.11.526 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation]",
            "errorCode": "AccessDenied",
            "errorMessage": "Access Denied",
            "requestParameters": {
                "bucketName": "logging-alpha-eu-west-1",
                "Host": "logging-alpha-eu-west-1.s3-eu-west-1.amazonaws.com",
                "x-amz-acl": "bucket-owner-full-control",
                "key": "AWSLogs/000000000000/ELBAccessLogTestFile"
            },
            "responseElements": null,
            "additionalEventData": {
                "SignatureVersion": "SigV4",
                "CipherSuite": "ECDHE-RSA-AES128-SHA",
                "bytesTransferredIn": 0,
                "AuthenticationMethod": "AuthHeader",
                "x-amz-id-2": "xxxxxxxxxxx",
                "bytesTransferredOut": 243
            },
            "requestID": "XXXXXX",
            "eventID": "XXXXXXX",
            "readOnly": false,
            "resources": [
                {
                    "type": "AWS::S3::Object",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1/AWSLogs/000000000000/ELBAccessLogTestFile"
                },
                {
                    "accountId": "000000000000",
                    "type": "AWS::S3::Bucket",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1"
                }
            ],
            "eventType": "AwsApiCall",
            "recipientAccountId": "000000000000",
            "sharedEventID": "xxxxxxxx"
        }
```

I've tried with the following statement on my KMS Key but it still does not work:

```
{
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*"
}
```

If I change the bucket default encryption to the "AES256" encryption, everything is working great.   
Benoît  
  
Edited by: bsauvere on May 13, 2019 2:03 AM

Storing Application Load Balancer access logs in a KMS-encrypted S3 bucket

Contenido relevante