0

I'm following these instructions from AWS to try to add access logs to my application load balancer.

Precisely the policies described at the Bucket permissions -> To prepare an Amazon S3 bucket for access logging -> point 5

Unfortunately when I add the policy it returns 'MalformedPolicy: Invalid policy syntax"

Can anyone point me in the right direction with this?

Policy data:

data "aws_iam_policy_document" "allow-lb-aws" {
  statement {
    principals {
      type        = "service"
      identifiers = ["logdelivery.elb.amazonaws.com"]
    }

    actions = [
      "s3:PutObject",
      "s3:ListBucket",
    ]

    resources = [
      "arn:aws:s3:::${aws_s3_bucket.lb-logs.bucket}/main-lb/AWSLogs/652711504416/*"
    ]

  }
}

In the console, this shows up as:

 + resource "aws_s3_bucket_policy" "allow-lb-aws" {
      + bucket = "<my-bucket-name>"
      + id     = (known after apply)
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "s3:PutObject",
                          + "s3:ListBucket",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + service = "logdelivery.elb.amazonaws.com"
                        }
                      + Resource  = "arn:aws:s3:::<my bucket name>/main-lb/AWSLogs/<europe-west-2-listed-account>/*"
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }
SebastianG
  • 8,563
  • 8
  • 47
  • 111
  • 3
    I think type has to be capitalized, i.e., `type = Service`. And btw, you can get the whole bucket ARN with `${aws_s3_bucket.lb-logs.bucket.arn}`. – Marko E Jul 29 '22 at 21:41
  • that was it although the additional policy was useless, what's in that AWS documentation link that I was trying to do was utterly pointless as it already had access to the whole bucket. – SebastianG Jul 30 '22 at 00:08

1 Answers1

0

You are trying to capture the logs from ALB to S3, the policy should be like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<aws_elb_account_id>:root"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::${aws_s3_bucket.lb-logs.bucket}/main-lb/AWSLogs/<your_aws_account_id>/*"
      ]
    }
  ]
}

From the docs you mentioned (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html), for region eu-west-2, the aws_elb_account_id is 652711504416.

I believe that s3:PutObject is enough to put the logs.

Franxi Hidro
  • 505
  • 4
  • 18