Amazon S3 bucket permissions for flow logs
By default, Amazon S3 buckets and the objects they contain are private. Only the bucket owner can access the bucket and the objects stored in it. However, the bucket owner can grant access to other resources and users by writing an access policy.
If the user creating the flow log owns the bucket and has PutBucketPolicy
and GetBucketPolicy
permissions for the bucket, we automatically attach
the following policy to the bucket. This policy overwrites any existing policy attached
to the bucket.
Otherwise, the bucket owner must add this policy to the bucket, specifying the AWS account ID of the flow log creator, or flow log creation fails. For more information, see Using bucket policies in the Amazon Simple Storage Service User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "
my-s3-arn
/*", "Condition": { "StringEquals": { "aws:SourceAccount":account_id
, "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:region
:account_id
:*" } } }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::bucket_name
", "Condition": { "StringEquals": { "aws:SourceAccount":account_id
}, "ArnLike": { "aws:SourceArn": "arn:aws:logs:region
:account_id
:*" } } } ] }
The ARN that you specify for my-s3-arn
depends on
whether you use Hive-compatible S3 prefixes.
-
Default prefixes
arn:aws:s3:::
bucket_name
/optional_folder
/AWSLogs/account_id
/* -
Hive-compatible S3 prefixes
arn:aws:s3:::
bucket_name
/optional_folder
/AWSLogs/aws-account-id=account_id
/*
It is a best practice to grant these permissions to the log delivery service
principal instead of individual AWS account ARNs. It is also a best practice
to use the aws:SourceAccount
and aws:SourceArn
condition
keys to protect against the confused
deputy problem. The source account is the owner of the flow log and the
source ARN is the wildcard (*) ARN of the logs service.