Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Post History
It needs the s3:PutObject permisson, but the Principal in the policy depends on the AWS region. For instance, in us-east-1, this should work (assuming it will log under s3://test-bucket-access-logs...
Answer
#3: Post edited
by
philipp.classen
·
2024-06-20T16:43:12Z (12 days ago)
It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::127311923021:root"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
- }
- ]
- }
- ```
As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):- ```
- US East (N. Virginia) – 127311923021
- US East (Ohio) – 033677994240
- US West (N. California) – 027434742980
- US West (Oregon) – 797873946194
- Africa (Cape Town) – 098369216593
- Asia Pacific (Hong Kong) – 754344448648
- Asia Pacific (Jakarta) – 589379963580
- Asia Pacific (Mumbai) – 718504428378
- Asia Pacific (Osaka) – 383597477331
- Asia Pacific (Seoul) – 600734575887
- Asia Pacific (Singapore) – 114774131450
- Asia Pacific (Sydney) – 783225319266
- Asia Pacific (Tokyo) – 582318560864
- Canada (Central) – 985666609251
- Europe (Frankfurt) – 054676820928
- Europe (Ireland) – 156460612806
- Europe (London) – 652711504416
- Europe (Milan) – 635631232127
- Europe (Paris) – 009996457667
- Europe (Stockholm) – 897822967062
- Middle East (Bahrain) – 076674570225
- South America (São Paulo) – 507241528517
- ```
- If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
- Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
- }
- ]
- }
- ```
- It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east-1`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):
- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::127311923021:root"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
- }
- ]
- }
- ```
- As said, the magic number `127311923021` is for `us-east-1` and will differ if the load balancer is in a different region. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
- ```
- US East (N. Virginia) – 127311923021
- US East (Ohio) – 033677994240
- US West (N. California) – 027434742980
- US West (Oregon) – 797873946194
- Africa (Cape Town) – 098369216593
- Asia Pacific (Hong Kong) – 754344448648
- Asia Pacific (Jakarta) – 589379963580
- Asia Pacific (Mumbai) – 718504428378
- Asia Pacific (Osaka) – 383597477331
- Asia Pacific (Seoul) – 600734575887
- Asia Pacific (Singapore) – 114774131450
- Asia Pacific (Sydney) – 783225319266
- Asia Pacific (Tokyo) – 582318560864
- Canada (Central) – 985666609251
- Europe (Frankfurt) – 054676820928
- Europe (Ireland) – 156460612806
- Europe (London) – 652711504416
- Europe (Milan) – 635631232127
- Europe (Paris) – 009996457667
- Europe (Stockholm) – 897822967062
- Middle East (Bahrain) – 076674570225
- South America (São Paulo) – 507241528517
- ```
- If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
- Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
- }
- ]
- }
- ```
#2: Post edited
by
philipp.classen
·
2024-06-20T16:34:13Z (12 days ago)
It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs`):- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::127311923021:root"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
- }
- ]
- }
- ```
- As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
- ```
- US East (N. Virginia) – 127311923021
- US East (Ohio) – 033677994240
- US West (N. California) – 027434742980
- US West (Oregon) – 797873946194
- Africa (Cape Town) – 098369216593
- Asia Pacific (Hong Kong) – 754344448648
- Asia Pacific (Jakarta) – 589379963580
- Asia Pacific (Mumbai) – 718504428378
- Asia Pacific (Osaka) – 383597477331
- Asia Pacific (Seoul) – 600734575887
- Asia Pacific (Singapore) – 114774131450
- Asia Pacific (Sydney) – 783225319266
- Asia Pacific (Tokyo) – 582318560864
- Canada (Central) – 985666609251
- Europe (Frankfurt) – 054676820928
- Europe (Ireland) – 156460612806
- Europe (London) – 652711504416
- Europe (Milan) – 635631232127
- Europe (Paris) – 009996457667
- Europe (Stockholm) – 897822967062
- Middle East (Bahrain) – 076674570225
- South America (São Paulo) – 507241528517
- ```
Note that this applies for historical regions, but for newer one (available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
- }
- ]
- }
- ```
- It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs/AWSLogs/<account-name>/`):
- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::127311923021:root"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::test-bucket-access-logs/*"
- }
- ]
- }
- ```
- As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
- ```
- US East (N. Virginia) – 127311923021
- US East (Ohio) – 033677994240
- US West (N. California) – 027434742980
- US West (Oregon) – 797873946194
- Africa (Cape Town) – 098369216593
- Asia Pacific (Hong Kong) – 754344448648
- Asia Pacific (Jakarta) – 589379963580
- Asia Pacific (Mumbai) – 718504428378
- Asia Pacific (Osaka) – 383597477331
- Asia Pacific (Seoul) – 600734575887
- Asia Pacific (Singapore) – 114774131450
- Asia Pacific (Sydney) – 783225319266
- Asia Pacific (Tokyo) – 582318560864
- Canada (Central) – 985666609251
- Europe (Frankfurt) – 054676820928
- Europe (Ireland) – 156460612806
- Europe (London) – 652711504416
- Europe (Milan) – 635631232127
- Europe (Paris) – 009996457667
- Europe (Stockholm) – 897822967062
- Middle East (Bahrain) – 076674570225
- South America (São Paulo) – 507241528517
- ```
- If it is successfully configured, it should immediately put a test file called `ELBAccessLogTestFile` in that folder (in this example under `s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile`).
- Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
- ```
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
- },
- "Action": "s3:PutObject",
- "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
- }
- ]
- }
- ```
#1: Initial revision
by
philipp.classen
·
2024-06-20T16:31:17Z (12 days ago)
It needs the `s3:PutObject` permisson, but the `Principal` in the policy depends on the AWS region. For instance, in `us-east`, this should work (assuming it will log under `s3://test-bucket-access-logs`):
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::127311923021:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-access-logs/*"
}
]
}
```
As said, the magic number `127311923021` is for `us-east` (N. Virginia) and will differ across regions. The full list can be [found here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy):
```
US East (N. Virginia) – 127311923021
US East (Ohio) – 033677994240
US West (N. California) – 027434742980
US West (Oregon) – 797873946194
Africa (Cape Town) – 098369216593
Asia Pacific (Hong Kong) – 754344448648
Asia Pacific (Jakarta) – 589379963580
Asia Pacific (Mumbai) – 718504428378
Asia Pacific (Osaka) – 383597477331
Asia Pacific (Seoul) – 600734575887
Asia Pacific (Singapore) – 114774131450
Asia Pacific (Sydney) – 783225319266
Asia Pacific (Tokyo) – 582318560864
Canada (Central) – 985666609251
Europe (Frankfurt) – 054676820928
Europe (Ireland) – 156460612806
Europe (London) – 652711504416
Europe (Milan) – 635631232127
Europe (Paris) – 009996457667
Europe (Stockholm) – 897822967062
Middle East (Bahrain) – 076674570225
South America (São Paulo) – 507241528517
```
Note that this applies for historical regions, but for newer one (available after August 2022), it again differs. According to the [same documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy), it now looks like that:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
}
]
}
```