S3 bucket policy to allow CloudFront logging

Question

Hi,

I have two S3 buckets, and one of them has a website.
Thanks fort he help, Route 53, CloudFront, and S3 are all working well to serve the website now.

I have also enabled CloudFront standard logging and selected an S3 bucket for log data.

Is there an example policy I can apply to the logging S3 permission?

I found this but I get 'Invalid principal in policy' error:  https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-cloudfront

```
{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27xxxx"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
        }
    ]
}
```
Also, are there any disadvantages to turning on Cookie Logging?

Thanks!

Accepted Answer

I would refer this doc for the error and make sure the Syntax and steps are accurate.

Link- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-cloudfront

Regarding Cookie Logging, The Cookie header in the request, including name—value pairs and the associated attributes.

If you enable cookie logging, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin. When a request doesn’t include a cookie header, this field’s value is a hyphen (-).
Refer https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html to check for more use-cases and features.

Answer

Thank you!

S3 bucket policy to allow CloudFront logging

相關內容