By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Server Access Logging - Another Account

1

Hello comunity, Im trying to enable s3 server access log, to send logs to a bucket in another account. I Guess i had setup the bucket destination policy Right, but im getting this sort of error: "Unknown Error An unexpected error occurred.

API response The specified method is not allowed against this resource." Have anyone did this sucessfully?

Topics
Developer ToolsManagement & Governance
Tags
Monitoring & Logging
Language
English
Deivis-Campos-0022
asked 2 years ago3436 views
3 Answers
0

Hi @Deivis-Campos-0022, Is the target bucket in the same region? I'm pretty new to S3 server access logging, but based on the S3 user guide found here, it needs to be in the same region.

By default, Amazon S3 doesn't collect server access logs. When you enable logging, Amazon S3 delivers access logs for a source bucket to a target bucket that you choose. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration.

Let us know if that's the reason. I'm trying to learn as much as I can here, so hopefully this helps.

mnemosyne
answered 2 years ago
  • Deivis-Campos-0022
    2 years ago

    Hi mnemosyne thanks for your interaction. Yes the buckets are in the same region but in diferrent accounts.

  • mnemosyne
    2 years ago

    Have you configured permissions on the target bucket to allow the source account/bucket to write to it? If possible, please provide as much information as to the configuration you've performed so far. It will be helpful so we don't go over anything you've already done to try and make this work. Some additional follow-up, this may not actually be possible. I'm not sure if you have a support account but if you look at the table in this article, Amazon Simple Storage Service User Guide, Cross-account log delivery does not appear to be possible for S3 server logs. In the table, see the 4th row Cross-account log delivery (target and source bucked owned by different accounts), you'll notice it does not say Yes in the column for Amazon S3 server logs. You may want to consider using CloudTrail instead, so long as it provides the level of logging you require.

    I'll keep looking into this on my end to confirm.

0

hello Deivis-Campos-0022, did you find a working solution for this question?

rePost-User-6620266
answered a year ago
0

Based on the documentation S3 Server Access Logs does not support cross-account log delivery

Ob201
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content