By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloudfront S3 access logs - access denied?

0

Hello,

I've configured a cloudfront distribution for my S3-hosted website, that all works great. I've also configured an S3 bucket to get the logging, which is being put in there.

I'm now trying to get access to those logs.. I can see them in the bucket "<distribution>.<date>.<id>.tgz, but whatever I try I can't seem to get them off there. Downloading doesn't work - S3 returns me an access denied.
The bucket is set to private and AWS-KMS encrypted, and even trying to download them via the 'Download' button in the S3 UI tells me to sod off.

I'm the only one with access on my account, I have Administrator access, and there's no policy denying me.

What am I doing wrong?

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
jdeluyck
asked 5 years ago1147 views
2 Answers
0

In the end, the issue had to do with KMS encryption. I was using the default aws/s3 key, but since cloudfront logs arrive from a different account, it was using the KMS key of the cloudfront account, which I can't access.

Switched to AES256 for now, will investigate later if i can workaround this issue.

jdeluyck
answered 5 years ago
0

Hey there. I had the same problem and was finally able to solve.

I had three issues. (1) I didn't set KMSMasterKeyID initially in my CFT. I just specified SSEAlgorithm: aws:kms. I assumed this would make AWS use my default key. I was wrong. Instead the log delivery service used its own key to encrypt the log files. This caused the Access Denied issue when I tried to download or view the log files. (2) Once I set KMSMasterKeyID to one of my own CMKs, the log delivery service stopped writing files. (3) for KMSMasterKeyID, I used ID from the Ref function, not the ARN. Nothing complained at deploy time but at runtime, no log files were being written. I was never able to find much in CloudTrail to help debug. I noticed the difference after staring the AWS Console showing the bucket's KMS setting and realized my mistake.

To solve (1), I created my own CMK.

To solve (2) and (3), I referenced my CMK by its ARN in my CFT. The AWS docs have the solve but I was stuck for hours until I realized I was referencing a bad ID (not using ARN) in my CFT.

Here's the link to the AWS docs that discuss the correct approach. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsKMSPermissions

Here's my key policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Give root user of AWS account full control of key.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<your-account-goes-here>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow logging agent for CloudFront to use the key.",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*"
        }
    ]
}

Edited by: geeeoff on Dec 29, 2019 9:28 AM

geeeoff
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content