Using root account in elb S3 policy

Hi, In the documentation to enable ELB logs, it is stated that I should add the following policy to my S3 bucket :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}

I'm a bit confused by the "Principal" field. It seems to allow the root user of a global elb account. Who does this policy actually allow to access the bucket ? Does that mean anyone can send their elb logs to my bucket provided they know the arn ? Or is it only for my aws account ?

주제

보안, 신원 및 규정 준수 스토리지

태그

AWS 자격 증명 및 액세스 관리 IAM 정책 아마존 S3 액세스 그랜트

언어

English

Alexf

질문됨 4달 전179회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

You should replace elb-account-id with your AWS Account ID (twelve digits).

This will allow the root of YOUR ACCOUNT, and only, to perform the action in the S3 bucket defined by the ARN. The root is the Principal that collects the data and you need to specify it in this resource-based policy.

Ibrahim Cesar

답변함 4달 전

Alexf
4달 전
Thanks for your answer. The documentation says the following though : Replace elb-account-id with the ID of the AWS account for Elastic Load Balancing for your Region And then lists all the IDs for the different regions. Why ?

Using root account in elb S3 policy

관련 콘텐츠