Setting up access logging for cloudfront using cloudformation template

0

I am trying to create and configure an S3 bucket to store all CloudFront Distribution logs. According to AWS documentation, I need to create a custom ACL that grants the CloudFront Distribution service Read and Write access to this S3 logging bucket. However, I can't see a way to configure the custom ACL using cloudformation templates and subsequently am receiving errors when creating the cloudfront distribution as it can't access the log bucket.

The error I'm receiving is

Invalid request provided: AWS::CloudFront::Distribution: Web ACL is not accessible by the requester.

Is it possible to setup server access logging for cloudfront using cloudformation templates? If so, how do I configure the Web ACL?

2 Answers
4

Hi rePost-User-3213957,

Please go through the below steps once i hope it will helps you to resolve your issue.

Step-by-Step Guide

Create the S3 Bucket:

  • Use a CloudFormation template to create the S3 bucket that will store CloudFront logs.

Attach a Bucket Policy:

  • Add a bucket policy to the S3 bucket that allows the CloudFront service to write logs to it.

Create the CloudFront Distribution:

  • Configure the CloudFront distribution to use the S3 bucket for logging.

Example CloudFormation Template

Here’s an example CloudFormation template that accomplishes these tasks:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CloudFrontLoggingBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'cloudfront-logs-${AWS::AccountId}'
      AccessControl: LogDeliveryWrite
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  CloudFrontLoggingBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref CloudFrontLoggingBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowCloudFrontServicePrincipal
            Effect: Allow
            Principal:
              Service: 'cloudfront.amazonaws.com'
            Action: 's3:PutObject'
            Resource: !Sub 'arn:aws:s3:::${CloudFrontLoggingBucket}/*'
            Condition:
              StringEquals:
                'AWS:SourceArn': !GetAtt CloudFrontDistribution.Arn

  CloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Origins:
          - Id: myS3Origin
            DomainName: !Sub '${SourceBucket}.s3.amazonaws.com'
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${SourceBucketOriginAccessIdentity}'
        Enabled: true
        DefaultCacheBehavior:
          TargetOriginId: myS3Origin
          ViewerProtocolPolicy: redirect-to-https
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
        Logging:
          Bucket: !Sub '${CloudFrontLoggingBucket}.s3.amazonaws.com'
          IncludeCookies: false
          Prefix: 'my-cloudfront-logs/'

Explanation

S3 Bucket Creation:

  • The CloudFrontLoggingBucket resource creates an S3 bucket with the specified name. The PublicAccessBlockConfiguration ensures that the bucket is not publicly accessible.

Bucket Policy:

  • The CloudFrontLoggingBucketPolicy resource attaches a policy to the S3 bucket, allowing the CloudFront service to write logs to it. The Condition ensures that only CloudFront distributions with the specified ARN can write to the bucket.

CloudFront Distribution:

  • The CloudFrontDistribution resource configures a CloudFront distribution and specifies the logging configuration to point to the S3 bucket.

Main Points:

Bucket Policy: Ensure the bucket policy correctly grants the cloudfront.amazonaws.com service principal permission to write to the S3 bucket.

Bucket Name and ARNs: Ensure that the bucket name and ARNs are correctly referenced in the template.

Logging Configuration: Ensure the Logging property in the CloudFront distribution configuration correctly specifies the S3 bucket name and log prefix.

Access Control List (ACL): The ACL LogDeliveryWrite grants the necessary permissions for log delivery.

EXPERT
answered 3 months ago
  • Thanks for your reply. Unfortunately this produces the same error.

2

Hello.

How about trying the following to enable the ACL of the S3 bucket?
I think you can use ACL by using "OwnershipControls".
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html

  S3BucketLogs:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: examplebucket-logs
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • Hi, thanks for replying. We've tried all object ownership options which unfortunately produced the same issue. When setting up a sample via the console and CloudFront sets up the ACL's for you, it configures the Object Ownership to "Object Writer"

  • The template below is one that I created in the past, but is it still not possible to set it using this template?

    AWSTemplateFormatVersion: '2010-09-09'
    Description: CloudFront and S3 (access logs for CloudFront)
    Resources:
      S3BucketAccesslogs:
        Type: AWS::S3::Bucket
        Properties:
          OwnershipControls:
            Rules:
            - ObjectOwnership: BucketOwnerPreferred
          AccessControl: LogDeliveryWrite
          BucketName: !Sub '${AWS::StackName}-accesslogs-${AWS::Region}-${AWS::AccountId}'
          LifecycleConfiguration:
            Rules:
              - Id: AutoDelete
                Status: Enabled
                ExpirationInDays: 15
    
      CloudFrontDistribution:
        Type: AWS::CloudFront::Distribution
        Properties:
          DistributionConfig:
            Origins:
              - Id: CustomOrigin
                DomainName: 'www.example.com'
                CustomOriginConfig:
                  HTTPPort: 80
                  OriginProtocolPolicy: http-only
            Enabled: true
            Logging:
              IncludeCookies: 'false'
              Bucket: !Sub '${S3BucketAccesslogs}.s3-${AWS::Region}.amazonaws.com'
              Prefix: !Sub '${AWS::StackName}/cloudfront/'
            Comment: !Sub '${AWS::StackName}'
            DefaultCacheBehavior:
              TargetOriginId: CustomOrigin
              ForwardedValues:
                QueryString: false
              DefaultTTL: 300
              MaxTTL: 300
              MinTTL: 300
              ViewerProtocolPolicy: redirect-to-https
    
  • I believe the latest example is correct. It's the AccessControl: LogDeliveryWrite property setting that allows CloudFront to deliver the logs. It's possible for access still to be blocked by a Deny statement in the bucket policy or by access not having been granted to the KMS key, if the bucket is set to use SSE-KMS encryption.

  • Looking at the error log, I thought that the problem was not with the log but with the AWS WAF settings. Could you please share the CloudFormation template you are using? For example, have you created a WebACL that can be referenced from CloudFront as shown below?

      webAclforcloudfront:
        Type: AWS::WAFv2::WebACL
        Properties:
          DefaultAction:
            Allow: {}
          Description: WebACL for CloudFront
          Name: test-cf-webacl
          # Rules:
          #   - Rule
          Scope: CLOUDFRONT
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: test-cf-webacl
    
  • Unfortunately neither of these examples work for me still, producing the same error "Invalid request provided: AWS::CloudFront::Distribution: Web ACL is not accessible by the requester."

    I've also tried disabling the encryption and there's no bucket policy configured

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions