AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Enable S3 server access logging - Target account is a cross account

0

Hello,

I am trying to enable S3 server access logging for a bucket I have access however, the target account is a cross account in the same region (us-east-1).

  • Account A - source account where logging must be enabled
  • Account B - target account to store all the access logs

By referring this documentation I have added the policy below to Account B.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ServerAccessLogsPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<s3 bucket name in Account B)/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<account number of Account A"
                }
            }
        }
    ]
}

I got the following error in Account A when Target bucket is an S3 bucket in Account B

You don’t have permission to edit server access logging details
You need s3:GetBucketPolicy and s3:PutBucketPolicy to update the target bucket policy (bucket settings) configuration. Learn more about Bucket policy ownership in Amazon S3 
API response - Access Denied

I am getting the below error if I try to update the policy by adding s3:GetBucketPolicy and s3:PutBucketPolicy.

Unknown Error
An unexpected error occurred.
API response - Action does not apply to any resource(s) in statement

I am looking for guidance on what policy changes should I make this to work.

トピック
ストレージセキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon Simple Storage Service (S3)AWS Identity and Access Management
言語
English
rePost-User-6620266
質問済み 1年前864ビュー
1回答
0
承認された回答

Please note that S3 Server Access logging only accept target bucket that belongs to the same AWS account. Therefore you cannot send directly the server access log to other account. Quote from the documentation

By default, Amazon S3 doesn't collect server access logs. When you enable logging, Amazon S3 delivers access logs for a source bucket to a target bucket that you choose. The target bucket must be in the same AWS Region and AWS account as the source bucket, and must not have a default retention period configuration.

However, you could use cross account S3 Replication to replicate the log files from a bucket in the source account to a bucket in the destination account:

  • You need to create server access logs on your source bucket that delivers logs to the bucket belongs to your account with versioning enabled and then you can configure a cross account replication between the target bucket of your account and the bucket that belongs to different account. 

  • Then, to avoid duplication of logs and extra cost for storage, you can create a Lifecycle rule that would expire your Server Access logs after a certain number of days once you have confirmed that they will have been replicated successfully to the bucket that belongs to different AWS Account. You can have a look at the following link on how to create S3 Lifecycle Rules.
  • Finally note that objects that existed before you set up replication aren't replicated automatically. In other words, Amazon S3 doesn't replicate objects retroactively. You can use Batch Replication to replicate objects that were added to the bucket before Cross-Account Replication was configured.

Hope this helps.

AWS
エキスパート
Gokul
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ