export cloudwatch logs to s3 in another account failed by Access Denied

Question

# 
Hello, I am trying to export cloud watch logs to s3 in another account(**Account A**) by [boto3's create_export_task](https://boto3.amazonaws.com/v1/documentation/api/1.26.89/reference/services/logs/client/create_export_task.html) with lambda in **AccountB**
but got access denied message in lambda log.

```
"errorMessage": "An error occurred (AccessDeniedException) when calling the CreateExportTask operation: Please ensure that the export role and the destination bucket have all the required permissions as per the documentation.",
"errorType": "AccessDeniedException",
```
Other points I confiremd are below: 
 * s3 access log in AccouA said operation PutObject was access denied ,although when I rewrite lambda to use [put_object](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/put_object.html ) it was successfull.
 *  I can export logs to Account A's bucket from accountB's console as admin role.

I am wondering which permissions I have to modify.

![Enter image description here](/media/postImages/original/IMWBV2k4YUSLeKu7g8-rRK1Q)

## Role
Lambda has permissions below.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CancelExportTask",
"logs:DescribeExportTasks",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateExportTask",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketAcl"
],
"Resource": "",
"Effect": "Allow"
},
{
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "",
"Effect": "Allow"
}
]
}
```

## bucket policy
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountB:role/ExportLogToS3Role"
            },
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::DestinationBucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.ap-northeast-1.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::DestinationBucket",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-northeast-1:AccountB:log-group:*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.ap-northeast-1.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::DestinationBucket/*",
           "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-northeast-1:AccountB:log-group:*"
                }
            }
            
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::AccountB:role/ExportLogToS3Role"
            ]
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::DestinationBucket/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::AccountB:role/ExportLogToS3Role"
            ]
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::DestinationBucket/*",
      
    }
]
}

```

re:Post Agent · Answer

The issue you're experiencing with exporting CloudWatch logs to an S3 bucket in another account is likely due to insufficient permissions. Here are a few things to check and modify:

1. IAM Role Permissions:
   Ensure that the IAM role used by the Lambda function in Account B has the necessary permissions. The role should have the AmazonS3ReadOnlyAccess policy attached, along with the custom policy you've provided. Make sure the "Resource" fields in your custom policy are not empty and specify the correct ARNs for the S3 bucket and CloudWatch log groups.

2. S3 Bucket Policy:
   Your bucket policy looks mostly correct, but there are a few adjustments to make:
   - Add a condition to the s3:PutObject permission for the CloudWatch Logs service principal to include "s3:x-amz-acl": "bucket-owner-full-control".
   - Ensure that the account IDs in the policy match the correct accounts (Account A for the bucket, Account B for the role).
   - Add the aws:SourceAccount condition to the CloudWatch Logs service principal statements.

3. KMS Key Policy (if using SSE-KMS):
   If the S3 bucket is encrypted with SSE-KMS, make sure the KMS key policy allows the CloudWatch Logs service and the IAM role from Account B to use the key.

4. CloudWatch Logs Service-Linked Role:
   Ensure that the CloudWatch Logs service-linked role exists in Account B. This role is automatically created when you use CloudWatch Logs, but if it's missing, you may need to create it manually.

5. S3 Bucket ACL:
   Check that the bucket ACL allows the bucket owner (Account A) full control over new objects.

6. Cross-Account Setup:
   Double-check that you've properly set up the cross-account access between Account A and Account B, including any necessary trust relationships.

After making these adjustments, retry the export task. If you're still encountering issues, review the CloudWatch Logs for the Lambda function and the S3 access logs for more detailed error messages to further troubleshoot the problem.  
**Sources**  
[Exporting Cloudwatch log group To S3 is failing | AWS re:Post](https://repost.aws/questions/QU7KSCirWzRsuRAP3UZeAIRw/exporting-cloudwatch-log-group-to-s3-is-failing)  
[Troubleshoot a failed export task in CloudWatch Logs | AWS re:Post](https://repost.aws/knowledge-center/cloudwatch-failed-export-task)  
[Export log data to Amazon S3 using the AWS CLI - Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html)

export cloudwatch logs to s3 in another account failed by Access Denied

Role

bucket policy

Add your answer

Relevant content