By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Bucket policy for putting NLB access logs

0

Hello,

I have an NLB in which I want to enable an access log and for that, I have assigned a S3 bucket. But I'm having this error "Access Denied for bucket: qa-nlb-lo. Please check S3bucket permission" despite making policy based on AWS official documentation https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

The policy is below -

{
    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::qa-nlb-lo",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-no"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::qa-nlb-lo/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-no",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"
                }
            }
        }
    ]
}

In place of an account-no I have added my aws account number, but still facing this issue. I will be grateful if someone can point out my mistake and help me resolve this issue.

Thanks

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceIAM PoliciesApplication Load BalancerNetwork Load Balancer
Language
English
Abhinav Chauhan
asked 2 months ago263 views
3 Answers
1

Hello, I got it solved

Thanks everyone

Abhinav Chauhan
answered 2 months ago
0

Your condition on the S3 bucket looks incorrect. Please try the following while replacing account-no with your Acct No

This section is incorrect aws:SourceArn": "arn:aws:elasticloadbalancing:ap-south-1:account-no:*"

{
    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
                },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition": {
                "StringEquals": {
                "aws:SourceAccount": ["account-no"]
                },
                "ArnLike": {
                "aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-no/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": ["account-no"]
                },
                "ArnLike": {
                    "aws:SourceArn": ["arn:aws:logs:ap-south-1:account-no:*"]
                }
            }
        }
    ]
}
profile picture
EXPERT
Gary Mclean
answered 2 months ago
  • Abhinav Chauhan
    2 months ago

    I have mentioned already account-no has been replaced by my actual aws account number

  • Gary Mclean EXPERT
    2 months ago

    I understand that however your policy was wrong. It had wrong condition statement. My policy was the correct one. The arn not account number was wrong

  • Gary Mclean EXPERT
    2 months ago

    Your policy condition was using arn:aws:elasticloadbalancing and not arn:aws:logs

0

Hello.

Is your S3 bucket encrypted using KMS?
For KMS encryption, try selecting a bucket with "SSE-S3" encryption.
Also, are NLB and S3 in the same region?
If the region is different, it will not be possible to output.

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content