Using root account in elb S3 policy


Hi, In the documentation to enable ELB logs, it is stated that I should add the following policy to my S3 bucket :

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"

I'm a bit confused by the "Principal" field. It seems to allow the root user of a global elb account. Who does this policy actually allow to access the bucket ? Does that mean anyone can send their elb logs to my bucket provided they know the arn ? Or is it only for my aws account ?

1 Answer

You should replace elb-account-id with your AWS Account ID (twelve digits).

This will allow the root of YOUR ACCOUNT, and only, to perform the action in the S3 bucket defined by the ARN. The root is the Principal that collects the data and you need to specify it in this resource-based policy.

profile picture
answered 3 months ago
  • Thanks for your answer. The documentation says the following though : Replace elb-account-id with the ID of the AWS account for Elastic Load Balancing for your Region And then lists all the IDs for the different regions. Why ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions