Best practice for cross account S3 bucket access

Question

We are trying to turn on access log for a load balancer following this page https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html, the problem here is that the load balancer and S3 bucket are in different AWS accounts. 
Would like to know the best practice to achieve this, should we turn on ACL in the S3 bucket or there are some preferred ways, thank you!

Answer

Hi,
You can use policies to manage cross account access. You might find this document useful - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

Answer

AWS started to say in their documentation, try not to use ACL's **Granting access to the S3 log delivery group using your bucket ACL is not recommended**. Here is an example Bucket policy I use to allow cross Account Access.. Replace [bucketname] with the bucket name this policy is being applied too and replace the account number 111111111111 with the account(s) that need to write their logs from to this bucket.

Note, the AWS Account 652711504416 is for EU-west-2. Reference can be seen here depending on which region your ELB Logs are being delievered from so may need updating. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ELBRegionEu-West-2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::652711504416:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[bucketname]/*"
        },
        {
            "Sid": "AWSLogdeliveryWriteELB",
            "Effect": "Allow",
            "Principal": {
                "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[bucketname]/*",
	    "Condition": {
			"StringEquals": {
                        "aws:SourceAccount": [
                        "111111111111"
                    ]
                }
	}
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
            "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[bucketname]/*",
            "Condition": {
                "StringEquals": {
				"aws:SourceAccount": [
                        "111111111111"
                    ],
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
            "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::[bucketname]",
	    "Condition": {
			"StringEquals": {
                    "aws:SourceAccount": [
                        "111111111111"
                    ]
                }
	}
        },
        {
            "Sid": "DenyInsecureTransport",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::[bucketname]/*",
                "arn:aws:s3:::[bucketname]"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
```

Best practice for cross account S3 bucket access

Relevant content