By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using root account in elb S3 policy

0

Hi, In the documentation to enable ELB logs, it is stated that I should add the following policy to my S3 bucket :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}

I'm a bit confused by the "Principal" field. It seems to allow the root user of a global elb account. Who does this policy actually allow to access the bucket ? Does that mean anyone can send their elb logs to my bucket provided they know the arn ? Or is it only for my aws account ?

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon S3 Access Grants
Language
English
Alexf
asked 3 months ago168 views
1 Answer
1

You should replace elb-account-id with your AWS Account ID (twelve digits).

This will allow the root of YOUR ACCOUNT, and only, to perform the action in the S3 bucket defined by the ARN. The root is the Principal that collects the data and you need to specify it in this resource-based policy.

profile picture
Ibrahim Cesar
answered 3 months ago
  • Alexf
    3 months ago

    Thanks for your answer. The documentation says the following though : Replace elb-account-id with the ID of the AWS account for Elastic Load Balancing for your Region And then lists all the IDs for the different regions. Why ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content