- Newest
- Most votes
- Most comments
In the end, the issue had to do with KMS encryption. I was using the default aws/s3 key, but since cloudfront logs arrive from a different account, it was using the KMS key of the cloudfront account, which I can't access.
Switched to AES256 for now, will investigate later if i can workaround this issue.
Hey there. I had the same problem and was finally able to solve.
I had three issues. (1) I didn't set KMSMasterKeyID initially in my CFT. I just specified SSEAlgorithm: aws:kms. I assumed this would make AWS use my default key. I was wrong. Instead the log delivery service used its own key to encrypt the log files. This caused the Access Denied issue when I tried to download or view the log files. (2) Once I set KMSMasterKeyID to one of my own CMKs, the log delivery service stopped writing files. (3) for KMSMasterKeyID, I used ID from the Ref function, not the ARN. Nothing complained at deploy time but at runtime, no log files were being written. I was never able to find much in CloudTrail to help debug. I noticed the difference after staring the AWS Console showing the bucket's KMS setting and realized my mistake.
To solve (1), I created my own CMK.
To solve (2) and (3), I referenced my CMK by its ARN in my CFT. The AWS docs have the solve but I was stuck for hours until I realized I was referencing a bad ID (not using ARN) in my CFT.
Here's the link to the AWS docs that discuss the correct approach. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsKMSPermissions
Here's my key policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Give root user of AWS account full control of key.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-goes-here>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow logging agent for CloudFront to use the key.",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"
}
]
}
Edited by: geeeoff on Dec 29, 2019 9:28 AM
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago