Logging Network Firewall Logs to S3 bucket. What should I use for my Service Principal?


I'm reading the docuemntation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html

I'm confused because it indicates that the network firewall logs can send logs to S3 bucket; however, when it gives the example policy it has delivery.logs.amazonaws.com for the principal of the bucket policy.

However, if I'm using network firewall wouldn't I have to use network-firewall.amazonaws.com as a service pricnipal instead? for the bucket policy?

1 Answer


Here is a sample policy for your reference. Follow the sample from below page, you can consider to use delivery.logs.amazonaws.com as the Principle.


    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": [
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1"
profile picture
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions