By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

save flow log to a different account

0

Hello all, I am having issue with saving a flog log from account1 to an s3 bucket in account2, i have looked round and was not able to find a way to do that, when I try to set it up I get this error: "Method not allowed for LogDestination: <s3 bucket> Please check LogDestination permission"

on the s3 bucket for account 2 i have:

{
    "Version": "2012-10-17",
    "Id": "Policy1",
    "Statement": [
        {
            "Sid": "writeflow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account1>:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::<s3 bucket on account 2>"
        }
    ]
}

and have also tried on the s3 bucket: Access for other AWS accounts Grantee:<ConID> full access

just setting up full access for the moment and once i get it working i'll reduce the permissions.

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon VPC
Language
English
AWS-User-6550659
asked 2 years ago2593 views
6 Answers
0
Accepted Answer

Hi all, we finally got it working with the below script, just replace the 123412341234 with the account sending the flow long. E.G. 1234-1234-1234 to 123412341234

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::s3bucketname",
                "arn:aws:s3:::s3bucketname/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "123412341234",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::s3bucketname",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "123412341234"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
                }
            }
        }
    ]
}
AWS-User-6550659
answered 2 years ago
0

Hello,

I think I understand your issue. Please use the following policy.

  1. The issue was with "Resource": "my-s3-arn", as the error message says Action does not apply to any resource(s) in statement. so we need to correct the Resource ARN. S3 buckets require one ARN at the bucket level and another one for all the objects in the bucket.
"Resource": [
				"arn:aws:s3:::testflowlogs84763",
				"arn:aws:s3:::testflowlogs84763/*"
			],

  1. In addition, please turn off Block public access (bucket settings) as we are providing access through a bucket policy

  2. I used ap-south-east-2 region and please replace [SoureAccount] with the account from where the flow logs will be generated

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSLogDeliveryWrite",
			"Effect": "Allow",
			"Principal": {
				"Service": "delivery.logs.amazonaws.com"
			},
			"Action": "s3:PutObject",
			"Resource": [
				"arn:aws:s3:::testflowlogs84763",
				"arn:aws:s3:::testflowlogs84763/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "[SoureAccount]",
					"s3:x-amz-acl": "bucket-owner-full-control"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[SoureAccount]:*"
				}
			}
		},
		{
			"Sid": "AWSLogDeliveryCheck",
			"Effect": "Allow",
			"Principal": {
				"Service": "delivery.logs.amazonaws.com"
			},
			"Action": [
				"s3:GetBucketAcl",
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::testflowlogs84763",
				"arn:aws:s3:::testflowlogs84763/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "[SoureAccount]"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[SoureAccount]:*"
				}
			}
		}
	]
}

Please accept as Answer if this works for you or let me know if you need further help

Sri

profile picture
Sri
answered 2 years ago
  • AWS-User-6550659
    2 years ago

    Hi Sri,

    What you sent it did accept and i also turned on public access then tried but got this error: Unable to create flow log Access Denied for LogDestination: <s3 bucket>. Please check LogDestination permission also all of the account are in ap-southeast-2 and thanks for your help so far.

    Jake

  • Sri
    2 years ago

    Could you please double check that the bucket exists in ap-southeast-2 under bucket properties? Sometimes we don't realize while creating the buckets that we are in a different region as it shows Global. Even though S3 is a global service, the buckets are regional for data compliance purposes.

    I have tried the same example. I have created a flow log from a subnet and launched an EC2 in the same subnet to create some traffic. I was able to see the logs in the bucket of another account.

0

Please try this

  1. Replace [Account1], [Account2] with your account numbers
  2. Replace the bucket name as well
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::testflowlogs84763",
                "arn:aws:s3:::testflowlogs84763/*",
                "arn:aws:s3:::testflowlogs84763/AWSLogs/[Account1]/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": [
                        "[Account2]",
                        "[Account1]"
                    ]
                },
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:ap-southeast-2:[Account2]:*",
                        "arn:aws:logs:ap-southeast-2:[Account1]:*"
                    ]
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::testflowlogs84763",
                "arn:aws:s3:::testflowlogs84763/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[Account2]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-southeast-2:[Account2]:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::testflowlogs84763",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[Account1]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:ap-southeast-2:[Account1]:*"
                }
            }
        }
    ]
}
profile picture
Sri
answered 2 years ago
  • AWS-User-6550659
    2 years ago

    Hi Sri, I tried this one but unfortunately got the same issue: Unable to create flow log Access Denied for LogDestination: habitat3awslogs. Please check LogDestination permission

  • Sri
    2 years ago

    I will write up a blog article for you soon

0

Hi AWS-User-6550659,

I hope you are trying to send VPC flow logs to S3 destination which is located in a different AWS account. As per my understanding, you are seeing issues with the pushing flow logs to S3 from different account. For this scenario to work, S3 has to allow,{"Service": "delivery.logs.amazonaws.com"}.

Hope the below article might of some help here.

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions

Happy to help.

Karthikeyan Venkatraman
answered 2 years ago
  • AWS-User-6550659
    2 years ago

    Hi Karthikeyan,

    I tried the bucket permission section and replaced "my-s3-arn" and the "arn:aws:s3:::bucket_name" with the bucket arn and the "arn:aws:logs:region:account_id:*" and the "account_id" with the account number but i got this error: "Unknown Error An unexpected error occurred. API response Action does not apply to any resource(s) in statementt"

    Jake

0

ARN my-s3-arn/arn:aws:s3:::bucket_name seems to be incorrect in the policy as per the error, could you please check again? An example ARN arn:aws:s3:::s3bucketname

profile picture
Sri
answered 2 years ago
  • AWS-User-6550659
    2 years ago

    Hi Sri, That is correct, i was using the "my-s3-arn/arn:aws:s3:::bucket_name" to represent the two places i have to change the arn, I have updated my reply to avoid that confusion. Jake

0

Here is the blog article, hope this helps!

https://dev.to/kasukur/how-to-publish-vpc-flow-logs-to-a-different-account-1ead

Sri

profile picture
Sri
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content