Storing Application Load Balancer access logs in a KMS-encrypted S3 bucket


I was recently working on enabling Access Logs for my app's Application Load Balancer, and wanted to store those logs in an encrypted S3 bucket. It's trivial to do this using S3's own managed encryption, but I can't figure out how to get it working using KMS-managed encryption. I continue to get "Access Denied for bucket: (bucket). Please check S3bucket permission" in the ALB Edit Load Balancer Attributes page.

I think that I need to grant the ELB service access to the KMS key so it can encrypt the log files before storing them in the bucket. I've tried modifying the Key policy to allow this but my attempts have been fruitless so far.

Has anyone else managed to get this working, or does anyone know if is it supported?

Edited by: cmeinschein on Feb 27, 2019 11:13 AM

asked 5 years ago3939 views
2 Answers

Same probleme here.
The CloudTrail event generated:

            "eventVersion": "1.05",
            "userIdentity": {
                "type": "AWSAccount",
                "principalId": "AIDAIC3Q6OY7XTEX2MMHK",
                "accountId": "156460612806"
            "eventTime": "2019-05-13T08:33:37Z",
            "eventSource": "",
            "eventName": "PutObject",
            "awsRegion": "eu-west-1",
            "sourceIPAddress": "AWS Internal",
            "userAgent": "[aws-internal/3 aws-sdk-java/1.11.526 Linux/ OpenJDK_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation]",
            "errorCode": "AccessDenied",
            "errorMessage": "Access Denied",
            "requestParameters": {
                "bucketName": "logging-alpha-eu-west-1",
                "Host": "",
                "x-amz-acl": "bucket-owner-full-control",
                "key": "AWSLogs/000000000000/ELBAccessLogTestFile"
            "responseElements": null,
            "additionalEventData": {
                "SignatureVersion": "SigV4",
                "CipherSuite": "ECDHE-RSA-AES128-SHA",
                "bytesTransferredIn": 0,
                "AuthenticationMethod": "AuthHeader",
                "x-amz-id-2": "xxxxxxxxxxx",
                "bytesTransferredOut": 243
            "requestID": "XXXXXX",
            "eventID": "XXXXXXX",
            "readOnly": false,
            "resources": [
                    "type": "AWS::S3::Object",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1/AWSLogs/000000000000/ELBAccessLogTestFile"
                    "accountId": "000000000000",
                    "type": "AWS::S3::Bucket",
                    "ARN": "arn:aws:s3:::logging-alpha-eu-west-1"
            "eventType": "AwsApiCall",
            "recipientAccountId": "000000000000",
            "sharedEventID": "xxxxxxxx"

I've tried with the following statement on my KMS Key but it still does not work:

            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            "Action": "*",
            "Resource": "*"

If I change the bucket default encryption to the "AES256" encryption, everything is working great.

Edited by: bsauvere on May 13, 2019 2:03 AM

answered 5 years ago


storing ALB access logs in a S3 bucket with SSE-KMS encryption enabled is still not supported.

To encrypt your access logs, you can enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3):

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions