Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Post History

60%
+1 −0
Q&A When configuring load balancer access logs, what permission does the S3 bucket need?

It needs the s3:PutObject permisson, but the Principal in the policy depends on the AWS region. For instance, in us-east-1, this should work (assuming it will log under s3://test-bucket-access-logs...

posted 6mo ago by philipp.classen‭  ·  edited 6mo ago by philipp.classen‭

Answer
#3: Post edited by user avatar philipp.classen‭ · 2024-06-20T16:43:12Z (6 months ago)
  • It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "AWS": "arn:aws:iam::127311923021:root"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
  • }
  • ]
  • }
  • ```
  • As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
  • ```
  • US East (N. Virginia) – 127311923021
  • US East (Ohio) – 033677994240
  • US West (N. California) – 027434742980
  • US West (Oregon) – 797873946194
  • Africa (Cape Town) – 098369216593
  • Asia Pacific (Hong Kong) – 754344448648
  • Asia Pacific (Jakarta) – 589379963580
  • Asia Pacific (Mumbai) – 718504428378
  • Asia Pacific (Osaka) – 383597477331
  • Asia Pacific (Seoul) – 600734575887
  • Asia Pacific (Singapore) – 114774131450
  • Asia Pacific (Sydney) – 783225319266
  • Asia Pacific (Tokyo) – 582318560864
  • Canada (Central) – 985666609251
  • Europe (Frankfurt) – 054676820928
  • Europe (Ireland) – 156460612806
  • Europe (London) – 652711504416
  • Europe (Milan) – 635631232127
  • Europe (Paris) – 009996457667
  • Europe (Stockholm) – 897822967062
  • Middle East (Bahrain) – 076674570225
  • South America (São Paulo) – 507241528517
  • ```
  • If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
  • Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
  • }
  • ]
  • }
  • ```
  • It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east-1`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "AWS": "arn:aws:iam::127311923021:root"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
  • }
  • ]
  • }
  • ```
  • As said, the magic number `127311923021` is for `us-east-1` and will differ if the load balancer is in a different region. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
  • ```
  • US East (N. Virginia) – 127311923021
  • US East (Ohio) – 033677994240
  • US West (N. California) – 027434742980
  • US West (Oregon) – 797873946194
  • Africa (Cape Town) – 098369216593
  • Asia Pacific (Hong Kong) – 754344448648
  • Asia Pacific (Jakarta) – 589379963580
  • Asia Pacific (Mumbai) – 718504428378
  • Asia Pacific (Osaka) – 383597477331
  • Asia Pacific (Seoul) – 600734575887
  • Asia Pacific (Singapore) – 114774131450
  • Asia Pacific (Sydney) – 783225319266
  • Asia Pacific (Tokyo) – 582318560864
  • Canada (Central) – 985666609251
  • Europe (Frankfurt) – 054676820928
  • Europe (Ireland) – 156460612806
  • Europe (London) – 652711504416
  • Europe (Milan) – 635631232127
  • Europe (Paris) – 009996457667
  • Europe (Stockholm) – 897822967062
  • Middle East (Bahrain) – 076674570225
  • South America (São Paulo) – 507241528517
  • ```
  • If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
  • Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
  • }
  • ]
  • }
  • ```
#2: Post edited by user avatar philipp.classen‭ · 2024-06-20T16:34:13Z (6 months ago)
  • It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs`):
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "AWS": "arn:aws:iam::127311923021:root"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
  • }
  • ]
  • }
  • ```
  • As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
  • ```
  • US East (N. Virginia) – 127311923021
  • US East (Ohio) – 033677994240
  • US West (N. California) – 027434742980
  • US West (Oregon) – 797873946194
  • Africa (Cape Town) – 098369216593
  • Asia Pacific (Hong Kong) – 754344448648
  • Asia Pacific (Jakarta) – 589379963580
  • Asia Pacific (Mumbai) – 718504428378
  • Asia Pacific (Osaka) – 383597477331
  • Asia Pacific (Seoul) – 600734575887
  • Asia Pacific (Singapore) – 114774131450
  • Asia Pacific (Sydney) – 783225319266
  • Asia Pacific (Tokyo) – 582318560864
  • Canada (Central) – 985666609251
  • Europe (Frankfurt) – 054676820928
  • Europe (Ireland) – 156460612806
  • Europe (London) – 652711504416
  • Europe (Milan) – 635631232127
  • Europe (Paris) – 009996457667
  • Europe (Stockholm) – 897822967062
  • Middle East (Bahrain) – 076674570225
  • South America (São Paulo) – 507241528517
  • ```
  • Note that this applies for historical regions, but for newer one (available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
  • }
  • ]
  • }
  • ```
  • It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "AWS": "arn:aws:iam::127311923021:root"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
  • }
  • ]
  • }
  • ```
  • As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
  • ```
  • US East (N. Virginia) – 127311923021
  • US East (Ohio) – 033677994240
  • US West (N. California) – 027434742980
  • US West (Oregon) – 797873946194
  • Africa (Cape Town) – 098369216593
  • Asia Pacific (Hong Kong) – 754344448648
  • Asia Pacific (Jakarta) – 589379963580
  • Asia Pacific (Mumbai) – 718504428378
  • Asia Pacific (Osaka) – 383597477331
  • Asia Pacific (Seoul) – 600734575887
  • Asia Pacific (Singapore) – 114774131450
  • Asia Pacific (Sydney) – 783225319266
  • Asia Pacific (Tokyo) – 582318560864
  • Canada (Central) – 985666609251
  • Europe (Frankfurt) – 054676820928
  • Europe (Ireland) – 156460612806
  • Europe (London) – 652711504416
  • Europe (Milan) – 635631232127
  • Europe (Paris) – 009996457667
  • Europe (Stockholm) – 897822967062
  • Middle East (Bahrain) – 076674570225
  • South America (São Paulo) – 507241528517
  • ```
  • If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
  • Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
  • ```
  • {
  • "Version": "2012-10-17",
  • "Statement": [
  • {
  • "Effect": "Allow",
  • "Principal": {
  • "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
  • },
  • "Action": "s3:PutObject",
  • "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
  • }
  • ]
  • }
  • ```
#1: Initial revision by user avatar philipp.classen‭ · 2024-06-20T16:31:17Z (6 months ago)
It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs`):

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::127311923021:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
        }
    ]
}
```

As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):

```
US East (N. Virginia) – 127311923021
US East (Ohio) – 033677994240
US West (N. California) – 027434742980
US West (Oregon) – 797873946194
Africa (Cape Town) – 098369216593
Asia Pacific (Hong Kong) – 754344448648
Asia Pacific (Jakarta) – 589379963580
Asia Pacific (Mumbai) – 718504428378
Asia Pacific (Osaka) – 383597477331
Asia Pacific (Seoul) – 600734575887
Asia Pacific (Singapore) – 114774131450
Asia Pacific (Sydney) – 783225319266
Asia Pacific (Tokyo) – 582318560864
Canada (Central) – 985666609251
Europe (Frankfurt) – 054676820928
Europe (Ireland) – 156460612806
Europe (London) – 652711504416
Europe (Milan) – 635631232127
Europe (Paris) – 009996457667
Europe (Stockholm) – 897822967062
Middle East (Bahrain) – 076674570225
South America (São Paulo) – 507241528517
```

Note that this applies for historical regions, but for newer one (available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}
```