This content originally appeared on DEV Community and was authored by Atsushi Suzuki
While attempting to enable access logs for an Application Load Balancer (ALB) in AWS, I encountered a permissions error due to insufficient S3 bucket permissions. The error highlighted the need for proper bucket policy settings, which I had initially overlooked.
│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:ap-northeast-1:************:loadbalancer/app/alb-prod/fbbd3f2304ff9285) attributes: InvalidConfigurationRequest: Access Denied for bucket: logs-prod. Please check S3 bucket permission
Upon reviewing the official documentation, I realized that I had missed configuring the bucket policy.
Official AWS Documentation on Enabling Access Logging
Here's how I resolved the error using Terraform, which might be helpful if you encounter a similar issue.
S3 Bucket Setup
I used the bucket name logs-prod and the prefix alb/alb-prod. The number 582318560864 represents the AWS account ID for ELB in the Tokyo region. Replace <account-id> with your own AWS account ID.
resource "aws_s3_bucket" "logs_prod" {
bucket = "logs-prod"
tags = {
Environment = "prod"
}
}
resource "aws_s3_bucket_policy" "logs_prod_policy" {
bucket = aws_s3_bucket.logs_prod.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::582318560864:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::logs-prod/alb/alb-prod/AWSLogs/<account-id>/*"
}
]
}
POLICY
}
ALB Configuration
I added an access_logs block to the ALB setup to enable logging, specify the bucket name, and set the prefix.
resource "aws_lb" "alb_prod" {
name = "alb-prod"
internal = false
load balancer_type = "application"
security_groups = [var.security_group_elb_sg_id]
subnets = [var.subnet_public_1a_id, var.subnet_public_1c_id]
enable_deletion_protection = true
preserve_host_header = true
access_logs {
enabled = true
bucket = "logs-prod"
prefix = "alb/alb-prod"
}
tags = {
Environment = "prod"
}
}
By applying these settings, I ensured correct and secure logging from the ALB to the specified S3 bucket.
This content originally appeared on DEV Community and was authored by Atsushi Suzuki
Atsushi Suzuki | Sciencx (2024-08-14T00:03:45+00:00) Enabling Access Logs for AWS ELB (ALB) with Terraform. Retrieved from https://www.scien.cx/2024/08/14/enabling-access-logs-for-aws-elb-alb-with-terraform/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.