Enable access logs for your Classic Load Balancer - Elastic Load Balancing
Step 1: Create an S3 bucketStep 2: Attach a policy to your S3 bucketStep 3: Enable access logsStep 4: Verify that the load balancer created a test file in the S3 bucket

Enable access logs for your Classic Load Balancer

To enable access logs for your load balancer, you must specify the name of the Amazon S3 bucket where the load balancer will store the logs. You must also attach a bucket policy to this bucket that grants Elastic Load Balancing permission to write to the bucket.

Important

The bucket and your load balancer must be in the same Region. The bucket can be owned by a different account than the account that owns the load balancer.

Step 1: Create an S3 bucket

You can create an S3 bucket using the Amazon S3 console. If you already have a bucket and want to use it to store the access logs, skip this step and go to Step 2: Attach a policy to your S3 bucket to grant Elastic Load Balancing permission to write logs to your bucket.

Tip

If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you. If you will use the AWS CLI to enable access logs, you must create the bucket and grant the required permissions yourself.

Requirements

  • The bucket must be located in the same Region as the load balancer.

  • Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.

To create an S3 bucket using the Amazon S3 console

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose Create bucket.

  3. On the Create bucket page, do the following:

    1. For Bucket Name, enter a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see Bucket restrictions and limitations in the Amazon Simple Storage Service User Guide.

    2. For Region, select the Region where you created your load balancer.

    3. Choose Create.

Step 2: Attach a policy to your S3 bucket

After you've created or identified your S3 bucket, you must attach a policy to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.

If your bucket already has an attached policy, you can add the statements for the Elastic Load Balancing access log to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for access logs.

Tip

If you will use the console to enable access logs, you can skip this step and have Elastic Load Balancing create a bucket with the required permissions for you.

To attach a policy statement to your bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Select the bucket. Choose Permissions and then choose Bucket Policy.

  3. If you are creating a new bucket policy, copy this entire policy document to the policy editor, then replace the placeholders with the bucket name and prefix for your bucket, the ID of the AWS account for Elastic Load Balancing (based on the Region for your load balancer), and the ID of your own AWS account. If you are editing an existing bucket policy, copy only the new statement from the policy document (the text between the [ and ] of the Statement element). 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::bucket-name"
    }
  ]
}

    The following table contains the account IDs to use in your bucket policy.

    Region Region name Elastic Load Balancing account ID
    us-east-1 US East (N. Virginia) 127311923021
    us-east-2 US East (Ohio) 033677994240
    us-west-1 US West (N. California) 027434742980
    us-west-2 US West (Oregon) 797873946194
    af-south-1 Africa (Cape Town) 098369216593
    ca-central-1 Canada (Central) 985666609251
    eu-central-1 Europe (Frankfurt) 054676820928
    eu-west-1 Europe (Ireland) 156460612806
    eu-west-2 Europe (London) 652711504416
    eu-south-1 Europe (Milan) 635631232127
    eu-west-3 Europe (Paris) 009996457667
    eu-north-1 Europe (Stockholm) 897822967062
    ap-east-1 Asia Pacific (Hong Kong) 754344448648
    ap-northeast-1 Asia Pacific (Tokyo) 582318560864
    ap-northeast-2 Asia Pacific (Seoul) 600734575887
    ap-northeast-3 Asia Pacific (Osaka) 383597477331
    ap-southeast-1 Asia Pacific (Singapore) 114774131450
    ap-southeast-2 Asia Pacific (Sydney) 783225319266
    ap-south-1 Asia Pacific (Mumbai) 718504428378
    me-south-1 Middle East (Bahrain) 076674570225
    sa-east-1 South America (São Paulo) 507241528517
    us-gov-west-1* AWS GovCloud (US-West) 048591011584
    us-gov-east-1* AWS GovCloud (US-East) 190560391635
    cn-north-1* China (Beijing) 638102146993
    cn-northwest-1* China (Ningxia) 037604701340

    * These Regions requires a separate account. For more information, see AWS GovCloud (US-West) and China (Beijing).

  4. Choose Save.

Step 3: Enable access logs

You can enable access logs using the AWS Management Console or the AWS CLI. Note that when you enable access logs using the console, you can have Elastic Load Balancing create the bucket for you with necessary permissions for the load balancer to write to your bucket.

Use the following example to capture and deliver logs to your S3 bucket every 60 minutes (the default interval).

To enable access logs for your load balancer using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

  3. Select your load balancer.

  4. On the Description tab, choose Configure Access Logs.

  5. On the Configure Access Logs page, do the following:

    1. Choose Enable access logs.

    2. Leave Interval as the default, 60 minutes.

    3. For S3 location, type the name of your S3 bucket, including the prefix (for example, my-loadbalancer-logs/my-app). You can specify the name of an existing bucket or a name for a new bucket.

    4. (Optional) If the bucket does not exist, choose Create this location for me. You must specify a name that is unique across all existing bucket names in Amazon S3 and follows the DNS naming conventions. For more information, see Rules for bucket naming in the Amazon Simple Storage Service User Guide.

    5. Choose Save.

To enable access logs for your load balancer using the AWS CLI

First, create a .json file that enables Elastic Load Balancing to capture and deliver logs every 60 minutes to the S3 bucket that you created for the logs: 

{ 
  "AccessLog": {
    "Enabled": true,
    "S3BucketName": "my-loadbalancer-logs",
    "EmitInterval": 60,
    "S3BucketPrefix": "my-app"
  }
}

To enable access logs, specify the .json file in the modify-load-balancer-attributes command as follows: 

aws elb modify-load-balancer-attributes --load-balancer-name my-loadbalancer --load-balancer-attributes file://my-json-file.json

The following is an example response:

{
    "LoadBalancerAttributes": {
        "AccessLog": {
            "Enabled": true,
            "EmitInterval": 60,
            "S3BucketName": "my-loadbalancer-logs",
            "S3BucketPrefix": "my-app"
        }
    },
    "LoadBalancerName": "my-loadbalancer"
}

Step 4: Verify that the load balancer created a test file in the S3 bucket

After the access log is enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file. You can use the S3 console to verify that the test file was created.

To verify that Elastic Load Balancing created a test file in your S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Select your S3 bucket.

  3. Navigate to the bucket that you specified for access logging and look for ELBAccessLogTestFile. For example, if you used the console to create the bucket and bucket policy, the path is as follows: 

    my-bucket/prefix/AWSLogs/123456789012/ELBAccessLogTestFile

To manage the S3 bucket for your access logs

After you enable access logging, be sure to disable access logging before you delete the bucket with your access logs. Otherwise, if there is a new bucket with the same name and the required bucket policy created in an AWS account that you don't own, Elastic Load Balancing could write the access logs for your load balancer to this new bucket.