Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ALB access-log bucket getting created despite disabled

0

Hey Guys,

I am turning my head around a really strange scenario, would like to get some suggestions. So I am creating load balancer via terraform , what I see is that access log buckets are getting created in AWS S3 even if I am not specifying anything in the code. It getting created by default outside terraform. I tried disabling the access logs in the code, but still surprisingly AWS itself is creating the bucket. Is it something done from the AWS side? If so what option needs to be checked to prevent the bucket creation (Path inside the buckets shows AWSLogs--> account_id---> ELBAccessLogTestFile)

Topics
Storage
Tags
Application Load BalancerTerraformAmazon Simple Storage Service
Language
English
asked 10 months ago213 views
3 Answers
1

This behavior is unusual as AWS doesn't automatically create S3 buckets for load balancer access logs by default. Access logs for load balancers (ALB, NLB, or Classic) need to be explicitly enabled, and you need to specify an existing S3 bucket where the logs should be stored.

When you enable access logs for a load balancer, AWS will create a test file named "ELBAccessLogTestFile" in the specified bucket path (typically under AWSLogs/[account-id]/) to verify that the permissions are set correctly. However, AWS should not be creating entire buckets automatically.

To disable access logs for your load balancer, you need to explicitly set the "Enabled" attribute to false in your load balancer configuration. For example, in a Classic Load Balancer configuration, the access log attribute would look like:

"AccessLog": {
"Enabled": false
}

Check your Terraform code to ensure there isn't another resource or module that might be enabling access logs. Also, verify if there are any organizational policies or AWS Config rules in your account that might be automatically enabling access logging for compliance reasons.

If you're certain that your Terraform code is correctly disabling access logs but buckets are still being created, you might want to check CloudTrail logs to see which entity or service is creating these buckets, as this is not standard AWS behavior.
Sources
Disable access logs for your Classic Load Balancer - Elastic Load Balancing
Enable access logs for your Application Load Balancer - Elastic Load Balancing

answered 10 months ago
EXPERT
reviewed 10 months ago
0

I agree with the Agent. The Bucket will NOT be created by AWS. Likely you will have something some where in your terraform creating the S3 resource

EXPERT
answered 10 months ago
0

According to terraform documentation - the default value for access_logs is true. That is, you need to disable it.

Refer: https://registry.terraform.io/providers/rgeraskin/aws2/latest/docs/resources/elb#access_logs-1

Example:

resource "aws_lb" "example" {
  name               = "my-lb"
  internal           = false
  load_balancer_type = "application"
  subnets            = ["subnet-123", "subnet-456"]

  access_logs {
    enabled = false
  }
}
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content