3 Respostas
- Mais recentes
- Mais votos
- Mais comentários
0
Your condition on the S3 bucket looks incorrect. Please try the following while replacing account-no with your Acct No
This section is incorrect
aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"
{
"Version": "2012-10-17",
"Id": "AWSLogDeliveryWrite",
"Statement": [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["account-no"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-no/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": ["account-no"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
}
}
}
]
}
0
Hello.
Is your S3 bucket encrypted using KMS?
For KMS encryption, try selecting a bucket with "SSE-S3" encryption.
Also, are NLB and S3 in the same region?
If the region is different, it will not be possible to output.
yes same region and s3 is encyrpted
Conteúdo relevante
- AWS OFICIALAtualizada há 3 anos
- AWS OFICIALAtualizada há 2 meses
I have mentioned already account-no has been replaced by my actual aws account number
I understand that however your policy was wrong. It had wrong condition statement. My policy was the correct one. The arn not account number was wrong
Your policy condition was using arn:aws:elasticloadbalancing and not arn:aws:logs