Cloudfront S3 access logs - access denied?

Question

Hello,  
  
I've configured a cloudfront distribution for my S3-hosted website, that all works great. I've also configured an S3 bucket to get the logging, which is being put in there.  
  
I'm now trying to get access to those logs.. I can see them in the bucket "...tgz, but whatever I try I can't seem to get them off there. Downloading doesn't work - S3 returns me an access denied.  
The bucket is set to private and AWS-KMS encrypted, and  even trying to download them via the 'Download' button in the S3 UI tells me to sod off.  
  
I'm the only one with access on my account, I have Administrator access, and there's no policy denying me.   
  
What am I doing wrong?

Answer

In the end, the issue had to do with KMS encryption. I was using the default aws/s3 key, but since cloudfront logs arrive from a different account, it was using the KMS key of the cloudfront account, which I can't access.   
  
Switched to AES256 for now, will investigate later if i can workaround this issue.

Answer

Hey there.  I had the same problem and was finally able to solve.    
  
I had three issues.  (1) I didn't set KMSMasterKeyID initially in my CFT.  I just specified SSEAlgorithm: aws:kms.  I assumed this would make AWS use my default key.  I was wrong.  Instead the log delivery service used its own key to encrypt the log files.  This caused the Access Denied issue when I tried to download or view the log files.  (2) Once I set KMSMasterKeyID to one of my own CMKs, the log delivery service stopped writing files.  (3) for KMSMasterKeyID, I used ID from the Ref function, not the ARN.  Nothing complained at deploy time but at runtime, no log files were being written.  I was never able to find much in CloudTrail to help debug.  I noticed the difference after staring the AWS Console showing the bucket's KMS setting and realized my mistake.  
  
To solve (1), I created my own CMK.  
  
To solve (2) and (3), I referenced my CMK by its ARN in my CFT.  The AWS docs have the solve but I was stuck for hours until I realized I was referencing a bad ID (not using ARN) in my CFT.  
  
Here's the link to the AWS docs that discuss the correct approach.  https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsKMSPermissions  
  
Here's my key policy:

```
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Give root user of AWS account full control of key.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow logging agent for CloudFront to use the key.",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*"
        }
    ]
}
```

Edited by: geeeoff on Dec 29, 2019 9:28 AM

Cloudfront S3 access logs - access denied?

相关内容