Bucket policy for putting NLB access logs

Question

Hello,

I have an NLB in which I want to enable an access log and for that, I have assigned a S3 bucket.
But I'm having this error **"Access Denied for bucket: qa-nlb-lo. Please check S3bucket permission"** despite making policy based on AWS official documentation 
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

The policy is below -

```
{
    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::qa-nlb-lo",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-no"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::qa-nlb-lo/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-no",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"
                }
            }
        }
    ]
}

```
In place of an account-no I have added my aws account number, but still facing this issue. I will be grateful if someone can point out my mistake and help me resolve this issue.

Thanks

Answer

Hello,
I got it solved

Thanks everyone

Answer

Hello.

Is your S3 bucket encrypted using KMS?  
For KMS encryption, try selecting a bucket with "SSE-S3" encryption.  
Also, are NLB and S3 in the same region?  
If the region is different, it will not be possible to output.

Answer

Your condition on the S3 bucket looks incorrect.  Please try the following while replacing **account-no** with your Acct No

This section is incorrect
`aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"`

```
{
    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
                },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition": {
                "StringEquals": {
                "aws:SourceAccount": ["account-no"]
                },
                "ArnLike": {
                "aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-no/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": ["account-no"]
                },
                "ArnLike": {
                    "aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
                }
            }
        }
    ]
}
```

Bucket policy for putting NLB access logs

Relevanter Inhalt