Menu
Elastic Load Balancing
Developer Guide

Enable Access Logs for Your Load Balancer

To enable access logs for your load balancer, you must specify the name of the Amazon S3 bucket where the load balancer will store the logs. You must also attach a bucket policy to this bucket that grants Elastic Load Balancing permission to write to the bucket.

Important

The bucket and your load balancer must be in the same region. The bucket can be owned by a different account than the account that owns the load balancer.

Step 1: Create an S3 Bucket

You can create an S3 bucket using the Amazon S3 console. If you already have a bucket and want to use it to store the access logs, skip this step and go to Step 2: Attach a Policy to Your S3 Bucket to grant Elastic Load Balancing permission to write logs to your bucket.

Tip

If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you. If you will use the AWS CLI to enable access logs, you must create the bucket and grant the required permissions yourself.

To create an Amazon S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Click Create Bucket.

  3. In the Create a Bucket dialog box, do the following:

    1. In the Bucket Name box, enter a name for your bucket (for example, my-loadbalancer-logs). This name must be unique across all existing bucket names in Amazon S3. In some regions, there might be additional restrictions on bucket names. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

    2. In Region, select the region where you created your load balancer.

    3. Click Create.

Step 2: Attach a Policy to Your S3 Bucket

After you've created or identified your S3 bucket, you must attach a policy to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.

If your bucket already has an attached policy, you can add the statements for the Elastic Load Balancing access log to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for access logs.

Tip

If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you.

To attach a policy statement to your bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Select the bucket, and then click Properties.

  3. Under Permissions, click Add bucket policy.

  4. On the Bucket Policy Editor page, click AWS Policy Generator.

  5. On the AWS Policy Generator page, do the following:

    1. For Select Type of Policy, select S3 Bucket Policy.

    2. For Effect, select Allow to allow access to the S3 bucket.

    3. In Principal, specify the account ID for Elastic Load Balancing to grant Elastic Load Balancing access to the S3 bucket. Select the account ID that corresponds to the region for your load balancer and bucket.

      RegionRegion NameElastic Load Balancing Account ID
      us-east-1US East (N. Virginia)127311923021
      us-west-1US West (N. California)027434742980
      us-west-2US West (Oregon)797873946194
      eu-west-1EU (Ireland)156460612806
      eu-central-1EU (Frankfurt)054676820928
      ap-northeast-1Asia Pacific (Tokyo)582318560864
      ap-northeast-2Asia Pacific (Seoul)600734575887
      ap-southeast-1Asia Pacific (Singapore)114774131450
      ap-southeast-2Asia Pacific (Sydney)783225319266
      ap-south-1Asia Pacific (Mumbai)718504428378
      sa-east-1South America (São Paulo)507241528517
      us-gov-west-1*AWS GovCloud (US)048591011584
      cn-north-1**China (Beijing)638102146993

      * This region requires a separate account. For more information, see AWS GovCloud (US).

      ** This region requires a separate account. For more information, see China (Beijing).

    4. For Actions, select PutObject to allow Elastic Load Balancing to store objects in the S3 bucket.

    5. For Amazon Resource Name (ARN), enter the ARN of the S3 bucket in the following format:

      arn:aws:s3:::bucket/prefix/AWSLogs/aws-account-id/*

      You must specify the ID of the AWS account that owns the load balancer, and you should not include the hyphens. For example:

      arn:aws:s3:::my-loadbalancer-logs/my-app/AWSLogs/123456789012/*

      Note that if you are using us-gov-west-1 region, use arn:aws-us-gov: instead of arn:aws: in the ARN.

    6. Click Add Statement, and then click Generate Policy.

    7. Copy the policy that is displayed in the Policy JSON Document page, and then click Close. The policy document should look similar to the following:

      {
        "Id": "Policy1429136655940",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Stmt1429136633762",
            "Action": [
              "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-loadbalancer-logs/my-app/AWSLogs/123456789012/*",
            "Principal": {
              "AWS": [
                "797873946194"
              ]
            }
          }
        ]
      }
  6. Go back to the Bucket Policy Editor page and paste the policy into the text area.

  7. Click Save to save the policy. If Save is not enabled, press Enter.

  8. Under Permissions, click Save to attach the policy to your bucket.

Step 3: Enable Access Logs

You can enable access logs using the AWS Management Console or the AWS CLI. Note that when you enable access logs using the console, you can have Elastic Load Balancing create the bucket for you with necessary permissions for the load balancer to write to your bucket.

Use the following example to capture and deliver logs to your S3 bucket every 60 minutes (the default interval).

To enable access logs for your load balancer using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

  3. Select your load balancer.

  4. In the Description tab, find Access Logs, and then click (Edit).

  5. In the Configure Access Logs dialog box, do the following:

    1. Select Enable Access Logs.

    2. Leave Interval set to the default setting, 60 minutes.

    3. In S3 Location, enter the name of your S3 bucket, including the prefix (for example, my-loadbalancer-logs/my-app).

      Tip

      If you want Elastic Load Balancing to create the bucket, you must specify a name that is unique across all existing bucket names in Amazon S3. In some regions, there might be additional restrictions on bucket names. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

    4. (Optional) If you want Elastic Load Balancing to create the bucket, select Create the location for me.

    5. Click Save.

To enable access logs for your load balancer using the AWS CLI

First, create a .json file that enables Elastic Load Balancing to capture and deliver logs every 60 minutes to the S3 bucket that you created for the logs:

{ 
  "AccessLog": {
    "Enabled": true,
    "S3BucketName": "my-loadbalancer-logs",
    "EmitInterval": 60,
    "S3BucketPrefix": "my-app"
  }
}

To enable access logs, specify the .json file in the modify-load-balancer-attributes command as follows:

aws elb modify-load-balancer-attributes --load-balancer-name my-loadbalancer --load-balancer-attributes file://my-json-file.json

The following is an example response:

{
    "LoadBalancerAttributes": {
        "AccessLog": {
            "Enabled": true,
            "EmitInterval": 60,
            "S3BucketName": "my-loadbalancer-logs",
            "S3BucketPrefix": "my-app"
        }
    },
    "LoadBalancerName": "my-loadbalancer"
}

Step 4: Verify that the Load Balancer Created a Test File in the S3 Bucket

After the access log is enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file. You can use the S3 console to verify that the test file was created.

To verify that Elastic Load Balancing created a test file in your S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. From the All Buckets list, select your S3 bucket.

  3. Navigate to the test log file. The path should be as follows:

    my-bucket/prefix/AWSLogs/123456789012/ELBAccessLogTestFile