Logging Network Firewall Logs to S3 bucket. What should I use for my Service Principal?

Question

I'm reading the docuemntation here:  https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html

I'm confused because it indicates that the network firewall logs can send logs to S3 bucket; however, when it gives the example policy it has **delivery.logs.amazonaws.com** for the principal of the bucket policy.

However, if I'm using network firewall wouldn't I have to use **network-firewall.amazonaws.com** as a service pricnipal instead? for the bucket policy?

Answer

Hi,

Here is a sample policy for your reference. Follow the sample from below page, you can consider to use delivery.logs.amazonaws.com as the Principle.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": [
            	"arn:aws:s3:::log-bucket/flow-logs/AWSLogs/111122223333/*",
            	"arn:aws:s3:::log-bucket/flow-logs/AWSLogs/444455556666/*"
            	],
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1"
        }
    ]
}
```

Logging Network Firewall Logs to S3 bucket. What should I use for my Service Principal?

Relevant content