How to Publish VPC Flow Logs to a Different Account

A few AWS users have raised a question on repost.aws on the following: save flow log to a different account AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error …

A few AWS users have raised a question on repost.aws on the following:

This post is to help other users who are facing the same issue.

  • The first step: create a bucket with a unique name.

As per AWS’s documentation IAM policy for IAM principals that publish flow logs to Amazon S3

We will be using the following substitutions in the following bucket policies:

Parameter Example
[BucketName] flowlogstestrandomnumber
[Region] ap-southeast-2
[AccountB] 123456789101
  • Policy from the documentation
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[BucketName]",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": ["s3:GetBucketAcl", "s3:ListBucket"],
            "Resource": "arn:aws:s3:::[BucketName]",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        }
    ]
}
  • When we add a bucket policy to send VPC flow logs from AccountA to a S3 bucket in AccountB (different account), we notice the following error:

Bucket Policy Error

  • The error is caused due to:
"Resource": "arn:aws:s3:::[BucketName]",
  • We need to update the bucket policy to allow access to the bucket and the objects within the bucket by updating it as follows:
"Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],
  • The final policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        }
    ]
}
  • Create a flow log for a subnet in a VPC and take note of the subnet zone as we are going to launch an EC2 instance in the same subnet to create some traffic.

Note: For a quicker demonstration, let’s choose 1 min interval (default is 10 mins)

Create a Flow Log

  • The flow Log is created:
    Flow Log
  • Launch an EC2 instance in the same subnet as the flow log.
  • After a few minutes, the flow logs are stored in AccountA’s S3 bucket and they are prefixed with AccountB’s account number.

Flow Logs from AccountB in AccountA

  • Clean Up
    • Terminate EC2 instance
    • Delete the flow log from the subnet
    • Empty the bucket
    • Delete the bucket
  • Summary
    • Remember to add both the bucket and the objects within the bucket as resources within the policy.
"Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.