8

enter image description hereI have some AWS Cloudfront distributions spread out across different AWS accounts.

I'd like to store the access logs from these distributions in a single S3 bucket in a single AWS account.

This is possible, but it isn't documented (that I can find).

It isn't clear what update to the ACL is required on the log bucket, or what (if any) bucket policy is required.

What I seem to need is to update the ACL on the bucket to give FULL_CONTROL to a canonical id of what ever account in the other AWS account that Cloudfront uses to write logs.

If anyone else has configured this and can help, I'd be much obliged.

Garreth McDaid
  • 3,399
  • 26
  • 41

1 Answers1

12

(Updated for future reference)

Let's say your CloudFront distribution is in account 123456789012 with logging configured to a bucket your-logging-bucket in a different account.

  1. Create a S3 Bucket Policy that gives the CloudFront account 123456789012 permissions to do s3:GetBucketAcl and s3:PutBucketAcl on your-logging-bucket.

    This is the required Bucket Policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::123456789012:root"     << the CloudFront account
          },
          "Action": [
            "s3:GetBucketAcl",
            "s3:PutBucketAcl"
          ],
          "Resource": "arn:aws:s3:::your-logging-bucket"
        }
      ]
    }
    
  2. With that S3 Bucket Policy in place *create a new CloudFront distribution in account 1223456789012 and in the create wizard enable logging to your-logging-bucket. Thanks to the above Bucket Policy it will create the appropriate ACLs for you.

    You can check it that the official CloudFront account c4c1ede66af...8632f77d2d0 has been granted access by viewing S3 -> your-logging-bucket -> Permissions -> ACL

    enter image description here

  3. Configure all your other CF distributions in the 123... account to log into your-logging-bucket - it should now work for all pre-existing CF dists as well.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • I had tried this and it didn't work, but it more or less is the correct answer. I posed the same question to AWS Support and they advised the following: In the account that owns the S3 bucket, create a temporary CF distribution and enable logging on that to the bucket you wish to use. You can then remove that distribution. This should apply the correct ACL settings for the bucket. Then, create the bucket policy as above. After than, it should be possible to configure logging as required. You suggest that its an either or option, but from what I can see both steps are required. – Garreth McDaid Oct 04 '18 at 12:48
  • @GarrethMcDaid thanks for the comment, I have played with the permissions until I got it working and apparently didn't correctly identify the required steps in the right order :) I have now updated the answer for future reference. Hope it's correct now :) – MLu Oct 04 '18 at 21:43
  • 1
    If still doesn't work, [try to specify FQDN](https://stackoverflow.com/a/38297466/2094094) – Alexander Oct 29 '21 at 00:25