How do I send access logs from an Application Load Balancer to an Amazon S3 bucket that's in a centralized logging account?
I want to send access logs from an Application Load Balancer to an Amazon Simple Storage Service (Amazon S3) bucket that's in a centralized logging AWS account.
Resolution
Prerequisites:
- Confirm that the S3 bucket that's in the centralized logging account is in the same AWS Region as the Application Load Balancer.
- Note the source account ID that hosts the load balancer.
- Note the name of your bucket and the prefix of the folder path where you want to store the logs.
- Confirm that your AWS Identity and Access Management (IAM) role has permissions to modify bucket policies in the centralized logging account. For more information, see Policy actions for Amazon S3.
- Confirm that your IAM role has permissions to modify the attributes of the load balancer in the source account. For more information, see How Elastic Load Balancing works with IAM.
Configure the bucket policy in the centralized logging account
In the centralized logging account, attach a policy to your bucket that grants Elastic Load Balancing (ELB) permission to write objects. The policy allows delivery only to the source account and load balancer that you specify. For instructions, see Attach a policy to your bucket.
Note: To store logs at the account root user level, remove the prefix value from the folder path.
Turn on access logs on the load balancer in the source account
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To turn on access logs for your load balancer that's in the source account, you can use the Amazon Elastic Compute Cloud (Amazon EC2) console or AWS CLI.
Amazon EC2 console
Complete the following steps:
- Open the Amazon EC2 console.
- In the navigation pane, choose Load Balancers.
- Select your load balancer.
- Choose the Attributes tab, and then choose Edit.
- Under the Monitoring section, select Access logs.
- For S3 URI, enter the name of the bucket in the s3://bucket-name/prefix format.
- Choose Save changes.
AWS CLI
Run the following modify-load-balancer-attributes command:
aws elbv2 modify-load-balancer-attributes \--load-balancer-arn YOUR-ALB-ARN \--attributes \Key=access_logs.s3.enabled,Value=true \Key=access_logs.s3.bucket,Value=BUCKET-NAME \Key=access_logs.s3.prefix,Value=PREFIX
Note: Replace YOUR-ALB-ARN with the Amazon Resource Name (ARN) of your load balancer and BUCKET-NAME with the name of the bucket that's in the logging account. Also, replace PREFIX with the folder path where you want to store the logs.
Confirm that the access logs are in the S3 bucket
Complete the following steps:
- Open the Amazon S3 console.
- In the navigation pane, choose Buckets, and then select your bucket.
- In the bucket, open the bucket-name/prefix/awslogs/source-account-id/elasticloadbalancing/region/ folder path.
- Confirm that logs appear.
Note: Logs begin to appear within a few minutes of the first request to your load balancer. The log files use the bucket-name/prefix/AWSLogs/source-account-id/elasticloadbalancing/region/yyyy/mm/dd/ structure. Access logs arrive approximately every 5 minutes for each load balancer node. Each log file contains details about the requests that the load balancer received during the 5-minute period.
Important: AWS periodically adds new fields to the access logs of the load balancer. New fields append at the end of log entries. If you use Amazon Athena or other tools to query access logs for your load balancer, then review the current log format to confirm that your query handles all fields. For more information, see Access log entries.
Configure the bucket policy to allow only authorized sources to receive logs
To deliver logs only to authorized sources, take the following actions.
Use specific resource paths
Use the full resource path and include the account ID in the ARN of the bucket. Don't use wildcards (*) in place of the account ID.
Example ARN:
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/123456789012/*"
Restrict by source ARN
Use the aws:SourceArn condition to restrict write access only to load balancers from the specified Region and account.
Example policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logdelivery.elasticloadbalancing.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/123456789012/*", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/*" } } } ] }
Restrict by organization
If you use AWS Organizations, then use the aws:SourceOrgId condition with aws:SourceArn to allow write access only to load balancers from the specified organization. This policy configuration grants access to all accounts within your organization and doesn't require individual account IDs.
Example policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logdelivery.elasticloadbalancing.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/*/elasticloadbalancing/*", "Condition": { "StringEquals": { "aws:SourceOrgId": "o-1234567890" }, "ArnLike": { "aws:SourceArn": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*" } } } ] }
- Language
- English
Relevant content
- asked 3 years ago
