By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enable S3 server access logging - Target account is a cross account

0

Hello,

I am trying to enable S3 server access logging for a bucket I have access however, the target account is a cross account in the same region (us-east-1).

  • Account A - source account where logging must be enabled
  • Account B - target account to store all the access logs

By referring this documentation I have added the policy below to Account B.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ServerAccessLogsPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<s3 bucket name in Account B)/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<account number of Account A"
                }
            }
        }
    ]
}

I got the following error in Account A when Target bucket is an S3 bucket in Account B

You don’t have permission to edit server access logging details
You need s3:GetBucketPolicy and s3:PutBucketPolicy to update the target bucket policy (bucket settings) configuration. Learn more about Bucket policy ownership in Amazon S3 
API response - Access Denied

I am getting the below error if I try to update the policy by adding s3:GetBucketPolicy and s3:PutBucketPolicy.

Unknown Error
An unexpected error occurred.
API response - Action does not apply to any resource(s) in statement

I am looking for guidance on what policy changes should I make this to work.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
rePost-User-6620266
asked a year ago826 views
1 Answer
0
Accepted Answer

Please note that S3 Server Access logging only accept target bucket that belongs to the same AWS account. Therefore you cannot send directly the server access log to other account. Quote from the documentation

By default, Amazon S3 doesn't collect server access logs. When you enable logging, Amazon S3 delivers access logs for a source bucket to a target bucket that you choose. The target bucket must be in the same AWS Region and AWS account as the source bucket, and must not have a default retention period configuration.

However, you could use cross account S3 Replication to replicate the log files from a bucket in the source account to a bucket in the destination account:

  • You need to create server access logs on your source bucket that delivers logs to the bucket belongs to your account with versioning enabled and then you can configure a cross account replication between the target bucket of your account and the bucket that belongs to different account. 

  • Then, to avoid duplication of logs and extra cost for storage, you can create a Lifecycle rule that would expire your Server Access logs after a certain number of days once you have confirmed that they will have been replicated successfully to the bucket that belongs to different AWS Account. You can have a look at the following link on how to create S3 Lifecycle Rules.
  • Finally note that objects that existed before you set up replication aren't replicated automatically. In other words, Amazon S3 doesn't replicate objects retroactively. You can use Batch Replication to replicate objects that were added to the bucket before Cross-Account Replication was configured.

Hope this helps.

AWS
EXPERT
Gokul
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content