S3 Server Access Logging - Another Account
Hello comunity, Im trying to enable s3 server access log, to send logs to a bucket in another account. I Guess i had setup the bucket destination policy Right, but im getting this sort of error: "Unknown Error An unexpected error occurred.
API response The specified method is not allowed against this resource." Have anyone did this sucessfully?
Hi @Deivis-Campos-0022, Is the target bucket in the same region? I'm pretty new to S3 server access logging, but based on the S3 user guide found here, it needs to be in the same region.
By default, Amazon S3 doesn't collect server access logs. When you enable logging, Amazon S3 delivers access logs for a source bucket to a target bucket that you choose. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration.
Let us know if that's the reason. I'm trying to learn as much as I can here, so hopefully this helps.
Hi mnemosyne thanks for your interaction. Yes the buckets are in the same region but in diferrent accounts.
Have you configured permissions on the target bucket to allow the source account/bucket to write to it? If possible, please provide as much information as to the configuration you've performed so far. It will be helpful so we don't go over anything you've already done to try and make this work. Some additional follow-up, this may not actually be possible. I'm not sure if you have a support account but if you look at the table in this article, Amazon Simple Storage Service User Guide, Cross-account log delivery does not appear to be possible for S3 server logs. In the table, see the 4th row Cross-account log delivery (target and source bucked owned by different accounts), you'll notice it does not say Yes in the column for Amazon S3 server logs. You may want to consider using CloudTrail instead, so long as it provides the level of logging you require.
I'll keep looking into this on my end to confirm.
Grant Access to Control Tower created Cloudtrail S3 Bucketasked 6 months ago
Server Access Logging Bucketasked 7 months ago
Storing Application Load Balancer access logs in a KMS-encrypted S3 bucketasked 3 years ago
Locked out of S3 Bucket due to Bucket Policy in GovCloudAccepted Answerasked 5 months ago
grant access to one role in another account to all objects in an S3 bucket?asked 10 months ago
Unable to configure SageMaker execution Role with access to S3 bucket in another AWS accountasked 15 days ago
S3 Server Access Logging - Another Accountasked 3 months ago
Access bucket s3 from a role on another accountasked 9 months ago
Avoid recursive S3 server access logging + TrustedAdvisor warningasked 3 months ago
Across Account S3 Bucket Get Access Odditiesasked 3 years ago