Storing Application Load Balancer access logs in a KMS-encrypted S3 bucket

0

I was recently working on enabling Access Logs for my app's Application Load Balancer, and wanted to store those logs in an encrypted S3 bucket. It's trivial to do this using S3's own managed encryption, but I can't figure out how to get it working using KMS-managed encryption. I continue to get "Access Denied for bucket: (bucket). Please check S3bucket permission" in the ALB Edit Load Balancer Attributes page.

I think that I need to grant the ELB service access to the KMS key so it can encrypt the log files before storing them in the bucket. I've tried modifying the Key policy to allow this but my attempts have been fruitless so far.

Has anyone else managed to get this working, or does anyone know if is it supported?

Edited by: cmeinschein on Feb 27, 2019 11:13 AM

질문됨 5년 전4026회 조회
2개 답변
0

Same probleme here.
The CloudTrail event generated:

{
            "eventVersion": "1.05",
            "userIdentity": {
                "type": "AWSAccount",
                "principalId": "AIDAIC3Q6OY7XTEX2MMHK",
                "accountId": "156460612806"
            },
            "eventTime": "2019-05-13T08:33:37Z",
            "eventSource": "s3.amazonaws.com",
            "eventName": "PutObject",
            "awsRegion": "eu-west-1",
            "sourceIPAddress": "AWS Internal",
            "userAgent": "[aws-internal/3 aws-sdk-java/1.11.526 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation]",
            "errorCode": "AccessDenied",
            "errorMessage": "Access Denied",
            "requestParameters": {
                "bucketName": "logging-alpha-eu-west-1",
                "Host": "logging-alpha-eu-west-1.s3-eu-west-1.amazonaws.com",
                "x-amz-acl": "bucket-owner-full-control",
                "key": "AWSLogs/000000000000/ELBAccessLogTestFile"
            },
            "responseElements": null,
            "additionalEventData": {
                "SignatureVersion": "SigV4",
                "CipherSuite": "ECDHE-RSA-AES128-SHA",
                "bytesTransferredIn": 0,
                "AuthenticationMethod": "AuthHeader",
                "x-amz-id-2": "xxxxxxxxxxx",
                "bytesTransferredOut": 243
            },
            "requestID": "XXXXXX",
            "eventID": "XXXXXXX",
            "readOnly": false,
            "resources": [
                {
                    "type": "AWS::S3::Object",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1/AWSLogs/000000000000/ELBAccessLogTestFile"
                },
                {
                    "accountId": "000000000000",
                    "type": "AWS::S3::Bucket",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1"
                }
            ],
            "eventType": "AwsApiCall",
            "recipientAccountId": "000000000000",
            "sharedEventID": "xxxxxxxx"
        }

I've tried with the following statement on my KMS Key but it still does not work:

{
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*"
}

If I change the bucket default encryption to the "AES256" encryption, everything is working great.
Benoît

Edited by: bsauvere on May 13, 2019 2:03 AM

답변함 5년 전
0

Hi,

storing ALB access logs in a S3 bucket with SSE-KMS encryption enabled is still not supported.

To encrypt your access logs, you can enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3):

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

AWS
답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인