By using AWS re:Post, you agree to the Terms of Use

S3 bucket policy to allow CloudFront logging



I have two S3 buckets, and one of them has a website. Thanks fort he help, Route 53, CloudFront, and S3 are all working well to serve the website now.

I have also enabled CloudFront standard logging and selected an S3 bucket for log data.

Is there an example policy I can apply to the logging S3 permission?

I found this but I get 'Invalid principal in policy' error:

    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27xxxx"
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"

Also, are there any disadvantages to turning on Cookie Logging?


2 Answers
Accepted Answer

I would refer this doc for the error and make sure the Syntax and steps are accurate.


Regarding Cookie Logging, The Cookie header in the request, including name—value pairs and the associated attributes.

If you enable cookie logging, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin. When a request doesn’t include a cookie header, this field’s value is a hyphen (-). Refer to check for more use-cases and features.

answered 2 months ago
profile picture
reviewed 2 months ago

Thank you!

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions