unable to access S3 log files owned by "s3-log-service"


I'm getting access denied when trying to access s3 log files.

This is a corporate account so i dont have root access. My user account, as well as the account i use with aws cli both have "administrator access" in iam.

I have 2 buckets that have logging enabled (Server access logging) and are writing their logs to a third bucket. all 3 buckets are in the same account.

I am completely unable to access these log files:

  1. via aws gui, i can see the files, i can open their details, but any method i try to download them always results in the access denied xml response.

  2. via aws cli using aws s3 sync, again, access denied error.

  3. in lambda, with a policy that allows get object on all keys in the third bucket, also access denied.

Looking at the log file details i can see they are owned by s3-log-service. I do not want to make the files public (public is completely disabled on this bucket).

the end goal is option 3 above, i need to have a lambda script that parses the s3 log files so it needs to be able to read them. Manually updating the log files is not really an option as the flow should be fully automated. There there an iam policy or similar that needs to be configured to ensure the lambda has access to the s3-log-service owned files?


Edited by: Thomas Smart on Dec 4, 2019 9:26 PM

asked 4 years ago363 views
1 Answer

ok this was a case of RTFM.
If you have KMS managed encryption enabled on the bucket where you are storing logs, you will get this error. This is noted on the manual page for server access logs.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions