- Newest
- Most votes
- Most comments
I tried everything possible . No matter what I am doing I am still getting the same error
OK, I'll give you a sample that actually works for me. This sample configuration might give you some insights.
AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: Export CloudWatch Logs to S3 Bucket Resources: # S3 S3Bucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: SSEAlgorithm: AES256 S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: S3Bucket PolicyDocument: Version: "2012-10-17" Statement: - Sid: S3BucketReadPermissions Effect: Allow Principal: Service: Fn::Sub: logs.${AWS::Region}.amazonaws.com Action: - s3:GetBucketAcl Resource: - Fn::GetAtt: S3Bucket.Arn Condition: StringEquals: aws:SourceAccount: Ref: AWS::AccountId ArnLike: aws:SourceArn: Fn::GetAtt: HelloWorldFunctionLogGroup.Arn - Sid: S3ObjectWritePermissions Effect: Allow Principal: Service: Fn::Sub: logs.${AWS::Region}.amazonaws.com Action: - s3:PutObject Resource: - Fn::Sub: ${S3Bucket.Arn}/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control aws:SourceAccount: Ref: AWS::AccountId ArnLike: aws:SourceArn: Fn::GetAtt: HelloWorldFunctionLogGroup.Arn # Lambda HelloWorldFunction: Type: AWS::Serverless::Function Properties: Description: HelloWorld function Handler: index.handler Runtime: nodejs18.x Architectures: - arm64 InlineCode: | exports.handler = async event => { console.log(JSON.stringify(event, null, 2)); return { "message": "Hello World!" }; }; HelloWorldFunctionLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: Fn::Sub: /aws/lambda/${HelloWorldFunction}
Assuming that you have administrator privileges and not restricted by your organization (e.g., SCP), here are the steps to reproduce my config:
- Save the configuration above in YAML file.
- Create a CloudFormation stack from the YAML file you saved.
- Check the resources the CloudFormation stack has created. It should contain an S3 bucket, a Lambda Function, and a CloudWatch Log Group.
- Go to the Lambda Console and invoke the new created Lambda function (e.g.,
stackname-HelloWorldFunction-xxxxyyyyzzzz
). - Go to the CloudWatch Console and export Lambda execution logs from the new created CloudWatch Log Group (e.g.,
/aws/lambda/stackname-HelloWorldFunction-xxxxyyyyzzzz
) to the new created S3 bucket (stackname-s3bucket-xxxxyyyyzzzz
). - After successful test, review the configurations (e.g., bucket policy) and compare with your current configurations.
- Empty the bucket and delete the CloudFormation stack.
Hi,
I have all the right permission including GetBucketACL to the bucket policy
You should be able to export your logs to S3 if you have set the correct bucket policy.
Check your bucket policy carefully for the GetBucketAcl
statement.
where do I check if Cloudwatch logs has been granted permission
If you cannot export logs from your log group to your bucket, then your log group has not granted proper permissions.
Follow the instructions here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html
Highlights:
- Setup a bucket - obviously already done.
- Set up access permissions: your IAM user or if you're federating in, an IAM role you're using to access the console must have the following rights:
- logs:CreateExportTask
- logs:CancelExportTask
- logs:DescribeExportTasks
- logs:DescribeLogStreams
- logs:DescribeLogGroups
- Setup bucket permissions: copy and paste the policy in your bucket and make sure you properly update all the red text to reflect your bucket name and the region it is hosted in.
Side note:
- "arn:aws:s3:::my-exported-logs" - refers to the bucket itself
- "arn:aws:s3:::my-exported-logs/*" - refers to the objects in the bucket.
Using KMS? Perform updates on your KMS key using provided steps.
I tried everything possible . No matter what I am doing I am still getting the same error
Could not create export task. GetBucketAcl call on the given bucket failed. Please check if CloudWatch Logs has been granted permission to perform this operation.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 9 months ago
Thank you for your help