Enable access logs for your Classic Load Balancer
To enable access logs for your load balancer, you must specify the name of the Amazon S3 bucket where the load balancer will store the logs. You must also attach a bucket policy to this bucket that grants Elastic Load Balancing permission to write to the bucket.
The bucket and your load balancer must be in the same Region. The bucket can be owned by a different account than the account that owns the load balancer.
Tasks
Step 1: Create an S3 bucket
You can create an S3 bucket using the Amazon S3 console. If you already have a bucket and want to use it to store the access logs, skip this step and go to Step 2: Attach a policy to your S3 bucket to grant Elastic Load Balancing permission to write logs to your bucket.
If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you. If you will use the AWS CLI to enable access logs, you must create the bucket and grant the required permissions yourself.
Requirements
-
The bucket must be located in the same Region as the load balancer.
-
Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
To create an S3 bucket using the Amazon S3 console
-
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Choose Create bucket.
-
On the Create bucket page, do the following:
-
For Bucket Name, enter a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see Bucket restrictions and limitations in the Amazon Simple Storage Service Developer Guide.
-
For Region, select the Region where you created your load balancer.
-
Choose Create.
-
Step 2: Attach a policy to your S3 bucket
After you've created or identified your S3 bucket, you must attach a policy to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.
If your bucket already has an attached policy, you can add the statements for the Elastic Load Balancing access log to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for access logs.
If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you.
To attach a policy statement to your bucket
-
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Select the bucket. Choose Permissions and then choose Bucket Policy.
-
If you are creating a new bucket policy, copy this entire policy document to the policy editor, then replace the placeholders with the bucket name and prefix for your bucket, the ID of the AWS account for Elastic Load Balancing (based on the Region for your load balancer), and the ID of your own AWS account. If you are editing an existing bucket policy, copy only the new statement from the policy document (the text between the [ and ] of the
Statement
element).{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
elb-account-id
:root" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name
/prefix
/AWSLogs/your-aws-account-id
/*" }, { "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name
/prefix
/AWSLogs/your-aws-account-id
/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::bucket-name
" } ] }The following table contains the account IDs to use in your bucket policy.
Region Region name Elastic Load Balancing account ID us-east-1
US East (N. Virginia) 127311923021 us-east-2
US East (Ohio) 033677994240 us-west-1
US West (N. California) 027434742980 us-west-2
US West (Oregon) 797873946194 af-south-1
Africa (Cape Town) 098369216593 ca-central-1
Canada (Central) 985666609251 eu-central-1
Europe (Frankfurt) 054676820928 eu-west-1
Europe (Ireland) 156460612806 eu-west-2
Europe (London) 652711504416 eu-south-1
Europe (Milan) 635631232127 eu-west-3
Europe (Paris) 009996457667 eu-north-1
Europe (Stockholm) 897822967062 ap-east-1
Asia Pacific (Hong Kong) 754344448648 ap-northeast-1
Asia Pacific (Tokyo) 582318560864 ap-northeast-2
Asia Pacific (Seoul) 600734575887 ap-northeast-3
Asia Pacific (Osaka) 383597477331 ap-southeast-1
Asia Pacific (Singapore) 114774131450 ap-southeast-2
Asia Pacific (Sydney) 783225319266 ap-south-1
Asia Pacific (Mumbai) 718504428378 me-south-1
Middle East (Bahrain) 076674570225 sa-east-1
South America (São Paulo) 507241528517 us-gov-west-1
*AWS GovCloud (US-West) 048591011584 us-gov-east-1
*AWS GovCloud (US-East) 190560391635 cn-north-1
*China (Beijing) 638102146993 cn-northwest-1
*China (Ningxia) 037604701340 * These Regions requires a separate account. For more information, see AWS GovCloud (US-West)
and China (Beijing) . -
Choose Save.
Step 3: Enable access logs
You can enable access logs using the AWS Management Console or the AWS CLI. Note that when you enable access logs using the console, you can have Elastic Load Balancing create the bucket for you with necessary permissions for the load balancer to write to your bucket.
Use the following example to capture and deliver logs to your S3 bucket every 60 minutes (the default interval).
To enable access logs for your load balancer using the console
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, under LOAD BALANCING, choose Load Balancers.
-
Select your load balancer.
-
On the Description tab, choose Configure Access Logs.
-
On the Configure Access Logs page, do the following:
-
Choose Enable access logs.
-
Leave Interval as the default,
60 minutes
. -
For S3 location, type the name of your S3 bucket, including the prefix (for example,
my-loadbalancer-logs/my-app
). You can specify the name of an existing bucket or a name for a new bucket. -
(Optional) If the bucket does not exist, choose Create this location for me. You must specify a name that is unique across all existing bucket names in Amazon S3 and follows the DNS naming conventions. For more information, see Rules for bucket naming in the Amazon Simple Storage Service Developer Guide.
-
Choose Save.
-
To enable access logs for your load balancer using the AWS CLI
First, create a .json file that enables Elastic Load Balancing to capture and deliver logs every 60 minutes to the S3 bucket that you created for the logs:
{ "AccessLog": { "Enabled": true, "S3BucketName": "
my-loadbalancer-logs
", "EmitInterval": 60, "S3BucketPrefix": "my-app
" } }
To enable access logs, specify the .json file in the modify-load-balancer-attributes command as follows:
aws elb modify-load-balancer-attributes --load-balancer-name
my-loadbalancer
--load-balancer-attributes file://my-json-file
.json
The following is an example response:
{
"LoadBalancerAttributes": {
"AccessLog": {
"Enabled": true,
"EmitInterval": 60,
"S3BucketName": "my-loadbalancer-logs",
"S3BucketPrefix": "my-app"
}
},
"LoadBalancerName": "my-loadbalancer"
}
Step 4: Verify that the load balancer created a test file in the S3 bucket
After the access log is enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file. You can use the S3 console to verify that the test file was created.
To verify that Elastic Load Balancing created a test file in your S3 bucket
-
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Select your S3 bucket.
-
Navigate to the bucket that you specified for access logging and look for
ELBAccessLogTestFile
. For example, if you used the console to create the bucket and bucket policy, the path is as follows:my-bucket
/prefix
/AWSLogs/123456789012
/ELBAccessLogTestFile
To manage the S3 bucket for your access logs
After you enable access logging, be sure to disable access logging before you delete the bucket with your access logs. Otherwise, if there is a new bucket with the same name and the required bucket policy created in an AWS account that you don't own, Elastic Load Balancing could write the access logs for your load balancer to this new bucket.