How do I troubleshoot errors that are related to S3 when I set up ELB access logs?
I get an error when I set up Elastic Load Balancing (ELB) access logs to use an Amazon Simple Storage Service (Amazon S3) bucket.
Short description
To use access logs with your load balancer, you must attach a bucket policy to the Amazon S3 bucket. The bucket policy must include permissions for ELB to write to the bucket.
Note: Network Load Balancers support access logs only for Transport Layer Security (TLS) listeners. The access log contains information about TLS requests to the Network Load Balancer. Network Load Balancers don't support Transmission Control Protocol (TCP).
Resolution
AWS Region bucket error
You receive the error message, "S3Bucket: my-access-log-bucket is not located in the same region with ELB: app/my-load-balancer/50dc6c495c0c9188".
This error occurs when your Amazon S3 bucket and load balancer aren't located in the same AWS Region. The Amazon S3 bucket can be in a different AWS account but must be in the same Region as the load balancer.
To resolve this issue, move the S3 bucket to same Region as the load balancer.
Bucket permission error
You receive the error message, "Access Denied for bucket: my-access-log-bucket. Please check S3bucket permission".
This error occurs when the Amazon S3 bucket doesn't have a policy that grants permission to write the access logs.
To resolve this issue, attach a bucket policy to the S3 bucket that grants ELB permission to write logs to your bucket. Confirm that you have the correct placeholders for the name and prefix of your bucket. Also, confirm that you have the correct account ID for ELB based on the Region for your load balancer.
For more information about the required permissions, see the following topics:
- Application Load Balancer: Attach a policy to your S3 bucket
- Network Load Balancer: Bucket requirements
- Classic Load Balancer: Attach a policy to your S3 bucket
To encrypt access logs for ELB, you can use server-side encryption with Amazon S3 managed keys (SSE-S3). Also, Network Load Balancers support AWS Key Management Service (AWS KMS) customer managed keys to encrypt access logs. However, you can't use AWS KMS managed keys to encrypt ELB access logs.
Bucket namespace error
You receive the error message, "The value of 'access_logs.s3.prefix' cannot start with 'AWSLogs'".
This error occurs when the access log's S3 bucket prefix includes AWSLogs. To resolve this issue, remove AWSLogs from your access log's S3 bucket prefix.
Additional troubleshooting
If your S3 bucket policy and configuration are correct but you still can't view logs, then verify that the load balancer receives traffic. Check the ActiveConnectionCount and RequestCount load balancer metrics.
- Language
- English
Hello,
There is a statement here were it is mentioned "To use access logs with your load balancer, the load balancer and the Amazon S3 bucket must be in the same account. "
The documentation is mentioning a contradictory statement "The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts." [+] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#access-log-create-bucket
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
