- Newest
- Most votes
- Most comments
Hi all, we finally got it working with the below script, just replace the 123412341234 with the account sending the flow long. E.G. 1234-1234-1234 to 123412341234
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::s3bucketname",
"arn:aws:s3:::s3bucketname/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123412341234",
"s3:x-amz-acl": "bucket-owner-full-control"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::s3bucketname",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123412341234"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
}
}
}
]
}
Hello,
I think I understand your issue. Please use the following policy.
- The issue was with
"Resource": "my-s3-arn",
as the error message saysAction does not apply to any resource(s) in statement
. so we need to correct the Resource ARN. S3 buckets require one ARN at the bucket level and another one for all the objects in the bucket.
"Resource": [
"arn:aws:s3:::testflowlogs84763",
"arn:aws:s3:::testflowlogs84763/*"
],
-
In addition, please turn off
Block public access (bucket settings)
as we are providing access through a bucket policy -
I used
ap-south-east-2
region and please replace[SoureAccount]
with the account from where the flow logs will be generated
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::testflowlogs84763",
"arn:aws:s3:::testflowlogs84763/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[SoureAccount]",
"s3:x-amz-acl": "bucket-owner-full-control"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[SoureAccount]:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::testflowlogs84763",
"arn:aws:s3:::testflowlogs84763/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[SoureAccount]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[SoureAccount]:*"
}
}
}
]
}
Please accept as Answer if this works for you or let me know if you need further help
Sri
Please try this
- Replace
[Account1]
,[Account2]
with your account numbers - Replace the bucket name as well
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::testflowlogs84763",
"arn:aws:s3:::testflowlogs84763/*",
"arn:aws:s3:::testflowlogs84763/AWSLogs/[Account1]/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"[Account2]",
"[Account1]"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:ap-southeast-2:[Account2]:*",
"arn:aws:logs:ap-southeast-2:[Account1]:*"
]
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::testflowlogs84763",
"arn:aws:s3:::testflowlogs84763/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[Account2]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[Account2]:*"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::testflowlogs84763",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[Account1]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:[Account1]:*"
}
}
}
]
}
Hi Sri, I tried this one but unfortunately got the same issue: Unable to create flow log Access Denied for LogDestination: habitat3awslogs. Please check LogDestination permission
I will write up a blog article for you soon
Hi AWS-User-6550659,
I hope you are trying to send VPC flow logs to S3 destination which is located in a different AWS account. As per my understanding, you are seeing issues with the pushing flow logs to S3 from different account. For this scenario to work, S3 has to allow,{"Service": "delivery.logs.amazonaws.com"}.
Hope the below article might of some help here.
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
Happy to help.
Hi Karthikeyan,
I tried the bucket permission section and replaced "my-s3-arn" and the "arn:aws:s3:::bucket_name" with the bucket arn and the "arn:aws:logs:region:account_id:*" and the "account_id" with the account number but i got this error: "Unknown Error An unexpected error occurred. API response Action does not apply to any resource(s) in statementt"
Jake
ARN my-s3-arn/arn:aws:s3:::bucket_name
seems to be incorrect in the policy as per the error, could you please check again?
An example ARN arn:aws:s3:::s3bucketname
Hi Sri, That is correct, i was using the "my-s3-arn/arn:aws:s3:::bucket_name" to represent the two places i have to change the arn, I have updated my reply to avoid that confusion. Jake
Here is the blog article, hope this helps!
https://dev.to/kasukur/how-to-publish-vpc-flow-logs-to-a-different-account-1ead
Sri
Relevant content
- asked 3 months ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Hi Sri,
What you sent it did accept and i also turned on public access then tried but got this error: Unable to create flow log Access Denied for LogDestination: <s3 bucket>. Please check LogDestination permission also all of the account are in ap-southeast-2 and thanks for your help so far.
Jake
Could you please double check that the bucket exists in ap-southeast-2 under bucket properties? Sometimes we don't realize while creating the buckets that we are in a different region as it shows Global. Even though S3 is a global service, the buckets are regional for data compliance purposes.
I have tried the same example. I have created a flow log from a subnet and launched an EC2 in the same subnet to create some traffic. I was able to see the logs in the bucket of another account.