- Newest
- Most votes
- Most comments
Hi, You can use policies to manage cross account access. You might find this document useful - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html
AWS started to say in their documentation, try not to use ACL's Granting access to the S3 log delivery group using your bucket ACL is not recommended. Here is an example Bucket policy I use to allow cross Account Access.. Replace [bucketname] with the bucket name this policy is being applied too and replace the account number 111111111111 with the account(s) that need to write their logs from to this bucket.
Note, the AWS Account 652711504416 is for EU-west-2. Reference can be seen here depending on which region your ELB Logs are being delievered from so may need updating. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ELBRegionEu-West-2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::652711504416:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[bucketname]/*"
},
{
"Sid": "AWSLogdeliveryWriteELB",
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[bucketname]/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111111111111"
]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[bucketname]/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111111111111"
],
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::[bucketname]",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111111111111"
]
}
}
},
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::[bucketname]/*",
"arn:aws:s3:::[bucketname]"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Relevant content
- Accepted Answerasked 7 months ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 months ago