Enabling logs on a ALB (Gov region)

Question

Hello all, I'm trying to enable the logs on a ALB (AWS GovCloud US-West), but when I tried to add the policy to the S3 bucket, it doesn't work, I was trying to use the policy suggested on the documentation, and using 048591011584 as elb-account-id, as per documentation, but when I tried to add the policy to the S3 bucket, I got "Invalid principal in policy"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::048591011584:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*"
    }
  ]
}
what am I doing wrong?

Answer

Usually you receive "Invalid principal in policy" when you are trying to put the value of principal which is invalid. 
To resolve this issue kindly check the following

- Your bucket policy uses supported values for a Principal element.
- The Principal element is formatted correctly.
- If the Principal is an AWS Identity and Access Management (IAM) user or role, then confirm that the user or role wasn't deleted.
For details, you can also check the following Knowledge center article. https://repost.aws/knowledge-center/s3-invalid-principal-in-policy-error

Also, In AWS GovCloud (US) Regions, ARNs have an identifier that is different from the one in other standard AWS Regions.
Kindly check if the resource ARN matches the GovCloud standard. 
https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html

Enabling logs on a ALB (Gov region)

相關內容