A few AWS users have raised a question on repost.aws on the following:
- save flow log to a different account
- AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error
This post is to help other users who are facing the same issue.
- The first step: create a bucket with a unique name.
As per AWS’s documentation IAM policy for IAM principals that publish flow logs to Amazon S3
We will be using the following substitutions in the following bucket policies:
| Parameter | Example |
|---|---|
| [BucketName] | flowlogstestrandomnumber |
| [Region] | ap-southeast-2 |
| [AccountB] | 123456789101 |
- Policy from the documentation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[BucketName]",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": ["s3:GetBucketAcl", "s3:ListBucket"],
"Resource": "arn:aws:s3:::[BucketName]",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
}
]
}
- When we add a bucket policy to send VPC flow logs from AccountA to a S3 bucket in AccountB (different account), we notice the following error:
- The error is caused due to:
"Resource": "arn:aws:s3:::[BucketName]",
- We need to update the bucket policy to allow access to the bucket and the objects within the bucket by updating it as follows:
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
- The final policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
}
]
}
- Create a flow log for a subnet in a VPC and take note of the subnet zone as we are going to launch an EC2 instance in the same subnet to create some traffic.
Note: For a quicker demonstration, let’s choose 1 min interval (default is 10 mins)
- The flow Log is created:
- Launch an EC2 instance in the same subnet as the flow log.
- After a few minutes, the flow logs are stored in AccountA’s S3 bucket and they are prefixed with AccountB’s account number.
- Clean Up
- Terminate EC2 instance
- Delete the flow log from the subnet
- Empty the bucket
- Delete the bucket
- Summary
- Remember to add both the bucket and the objects within the bucket as resources within the policy.
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
- References
Leave a Reply