- Newest
- Most votes
- Most comments
Hi rePost-User-3213957,
Please go through the below steps once i hope it will helps you to resolve your issue.
Step-by-Step Guide
Create the S3 Bucket:
- Use a CloudFormation template to create the S3 bucket that will store CloudFront logs.
Attach a Bucket Policy:
- Add a bucket policy to the S3 bucket that allows the CloudFront service to write logs to it.
Create the CloudFront Distribution:
- Configure the CloudFront distribution to use the S3 bucket for logging.
Example CloudFormation Template
Here’s an example CloudFormation template that accomplishes these tasks:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CloudFrontLoggingBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'cloudfront-logs-${AWS::AccountId}'
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
CloudFrontLoggingBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref CloudFrontLoggingBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowCloudFrontServicePrincipal
Effect: Allow
Principal:
Service: 'cloudfront.amazonaws.com'
Action: 's3:PutObject'
Resource: !Sub 'arn:aws:s3:::${CloudFrontLoggingBucket}/*'
Condition:
StringEquals:
'AWS:SourceArn': !GetAtt CloudFrontDistribution.Arn
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- Id: myS3Origin
DomainName: !Sub '${SourceBucket}.s3.amazonaws.com'
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${SourceBucketOriginAccessIdentity}'
Enabled: true
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ViewerProtocolPolicy: redirect-to-https
ForwardedValues:
QueryString: false
Cookies:
Forward: none
Logging:
Bucket: !Sub '${CloudFrontLoggingBucket}.s3.amazonaws.com'
IncludeCookies: false
Prefix: 'my-cloudfront-logs/'
Explanation
S3 Bucket Creation:
- The CloudFrontLoggingBucket resource creates an S3 bucket with the specified name. The PublicAccessBlockConfiguration ensures that the bucket is not publicly accessible.
Bucket Policy:
- The CloudFrontLoggingBucketPolicy resource attaches a policy to the S3 bucket, allowing the CloudFront service to write logs to it. The Condition ensures that only CloudFront distributions with the specified ARN can write to the bucket.
CloudFront Distribution:
- The CloudFrontDistribution resource configures a CloudFront distribution and specifies the logging configuration to point to the S3 bucket.
Main Points:
Bucket Policy: Ensure the bucket policy correctly grants the cloudfront.amazonaws.com service principal permission to write to the S3 bucket.
Bucket Name and ARNs: Ensure that the bucket name and ARNs are correctly referenced in the template.
Logging Configuration: Ensure the Logging property in the CloudFront distribution configuration correctly specifies the S3 bucket name and log prefix.
Access Control List (ACL): The ACL LogDeliveryWrite grants the necessary permissions for log delivery.
Hello.
How about trying the following to enable the ACL of the S3 bucket?
I think you can use ACL by using "OwnershipControls".
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html
S3BucketLogs:
Type: AWS::S3::Bucket
Properties:
BucketName: examplebucket-logs
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Hi, thanks for replying. We've tried all object ownership options which unfortunately produced the same issue. When setting up a sample via the console and CloudFront sets up the ACL's for you, it configures the Object Ownership to "Object Writer"
The template below is one that I created in the past, but is it still not possible to set it using this template?
AWSTemplateFormatVersion: '2010-09-09' Description: CloudFront and S3 (access logs for CloudFront) Resources: S3BucketAccesslogs: Type: AWS::S3::Bucket Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred AccessControl: LogDeliveryWrite BucketName: !Sub '${AWS::StackName}-accesslogs-${AWS::Region}-${AWS::AccountId}' LifecycleConfiguration: Rules: - Id: AutoDelete Status: Enabled ExpirationInDays: 15 CloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Origins: - Id: CustomOrigin DomainName: 'www.example.com' CustomOriginConfig: HTTPPort: 80 OriginProtocolPolicy: http-only Enabled: true Logging: IncludeCookies: 'false' Bucket: !Sub '${S3BucketAccesslogs}.s3-${AWS::Region}.amazonaws.com' Prefix: !Sub '${AWS::StackName}/cloudfront/' Comment: !Sub '${AWS::StackName}' DefaultCacheBehavior: TargetOriginId: CustomOrigin ForwardedValues: QueryString: false DefaultTTL: 300 MaxTTL: 300 MinTTL: 300 ViewerProtocolPolicy: redirect-to-https
I believe the latest example is correct. It's the
AccessControl: LogDeliveryWrite
property setting that allows CloudFront to deliver the logs. It's possible for access still to be blocked by a Deny statement in the bucket policy or by access not having been granted to the KMS key, if the bucket is set to use SSE-KMS encryption.Looking at the error log, I thought that the problem was not with the log but with the AWS WAF settings. Could you please share the CloudFormation template you are using? For example, have you created a WebACL that can be referenced from CloudFront as shown below?
webAclforcloudfront: Type: AWS::WAFv2::WebACL Properties: DefaultAction: Allow: {} Description: WebACL for CloudFront Name: test-cf-webacl # Rules: # - Rule Scope: CLOUDFRONT VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: test-cf-webacl
Unfortunately neither of these examples work for me still, producing the same error "Invalid request provided: AWS::CloudFront::Distribution: Web ACL is not accessible by the requester."
I've also tried disabling the encryption and there's no bucket policy configured
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- asked 2 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Thanks for your reply. Unfortunately this produces the same error.