By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access denied to S3 bucket when trying to save ALB access logs

0

I've got an S3 bucket that I want to use to save ALB access logs to in order to diagnose an issue on my EC2 authentication. When trying to save the S3 bucket location in the Monitoring tab of the ALB I get "Access Denied check permissions". Tried all sorts of policy scripts but none work. The S3 bucket called myfirstbucket is in the same region as my EC2 stuff. I can manually load files to the S3 bucket no problem. I can browse to it from the ALB Monitoriing page fine. The block all policy is OFF. The bucket policy script (there is only one) is as below. I've taken it from AWS documentation here https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#enable-access-logs

The 652711504416 is for eu-west-2 and the number shown here as 1111111111 is actually just in place of my AWS account ID.

What am I doing wrong? Thanks

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::652711504416:root" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myfirstbucket/prefix/AWSLogs/1111111111/*" } ] }

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM PoliciesApplication Load Balancer
Language
English
Anthony
asked 2 months ago210 views
1 Answer
0

Your policy looks fine. Are you using SSE-S3 keys? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#bucket-permissions-troubleshooting

If you receive an access denied error, the following are possible causes:

  • The bucket uses an unsupported server-side encryption option. The bucket must use Amazon S3-managed keys (SSE-S3).
profile picture
EXPERT
Steve_M
answered 2 months ago
  • Anthony
    2 months ago

    Hi Steve thank for your reply. UK time here (now Sunday morning) so apologies for the slow response. Yes it appears so. The bucket properties have "Server-side encryption with Amazon S3 managed keys (SSE-S3)" selected. Any other thoughts?

  • Steve_M EXPERT
    2 months ago

    "Resource": "arn:aws:s3:::myfirstbucket/prefix/AWSLogs/1111111111/*"

    Is there actually a folder called prefix in the top-level of the bucket? Or is that just a generic term in-place of the "real" folder name?

  • Anthony
    2 months ago

    Sorry no there isn't it pasted from the original docs and forgot to change in my original message. That being said I've tried both with a prefix and without. I've also tried creating the prefix folder first in the bucket even though docs say you don't need too. Also as a test I created a file call mylog.txt and put it in folder called elb so the real S3 URI is now s3://myfirstbucket/elb/mylog.txt and if I click the View button in the Access Logs section I can see it fine. So it's there and I appear to have permission to view it. But still get the same "Access Denied for bucket: myfirstbucket. Please check S3bucket permission".
    Note it's not actually called myfirstbucket but I wasn't sure if giving the real name here was a security risk as they appear to have to be globally unique not just AWS account unique.

  • Anthony
    2 months ago

    Any other thoughts Steve?

  • Steve_M EXPERT
    2 months ago

    Sorry no :-( I've done this before myself and it "just worked" by following the steps in the link in your original question (or, as it was a few years ago, whatever the official AWS advice was at the time).

    Could the account be part of an AWS Organisation that is using Service Control Policies to enforce any kind of strict bucket policy that ALB might fall foul of? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_s3.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content