2 Answers
- Newest
- Most votes
- Most comments
0
Same probleme here.
The CloudTrail event generated:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AIDAIC3Q6OY7XTEX2MMHK",
"accountId": "156460612806"
},
"eventTime": "2019-05-13T08:33:37Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutObject",
"awsRegion": "eu-west-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "[aws-internal/3 aws-sdk-java/1.11.526 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
"bucketName": "logging-alpha-eu-west-1",
"Host": "logging-alpha-eu-west-1.s3-eu-west-1.amazonaws.com",
"x-amz-acl": "bucket-owner-full-control",
"key": "AWSLogs/000000000000/ELBAccessLogTestFile"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-SHA",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "xxxxxxxxxxx",
"bytesTransferredOut": 243
},
"requestID": "XXXXXX",
"eventID": "XXXXXXX",
"readOnly": false,
"resources": [
{
"type": "AWS::S3::Object",
"ARN": "arn:aws:s3:::logging-alpha-eu-west-1/AWSLogs/000000000000/ELBAccessLogTestFile"
},
{
"accountId": "000000000000",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::logging-alpha-eu-west-1"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "000000000000",
"sharedEventID": "xxxxxxxx"
}
I've tried with the following statement on my KMS Key but it still does not work:
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*"
}
If I change the bucket default encryption to the "AES256" encryption, everything is working great.
Benoît
Edited by: bsauvere on May 13, 2019 2:03 AM
answered 6 years ago
0
Hi,
storing ALB access logs in a S3 bucket with SSE-KMS encryption enabled is still not supported.
To encrypt your access logs, you can enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3):
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
answered 5 years ago
Relevant content
- asked 5 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 8 months ago