S3 Bucket Access Denied Error for ELB Access Logs in AWS CDK

152 views Asked by At

I'm facing an issue enabling access logs for an Elastic Load Balancer (ELB) in AWS CDK due to S3 bucket access denied errors. I've attempted to configure the bucket and policy in CDK, but the deployment gets stuck at step 2/4 and eventually times out.. It creates the bucket, but then cant add the policy from below code (The comments are there, because Ive tried different values as resources) and timeouts after a long time...

Ive read " you cannot enable logging on environment-agnostic stacks.", I am deploying with "--context environment=dev", so does that not work at all?

Creation from CDK didn't deploy fully:

    const albLogsBucket = new s3.Bucket(this, "AlbLogsBucket", {
      removalPolicy: RemovalPolicy.RETAIN,
      encryption: s3.BucketEncryption.S3_MANAGED,
    });

      const policyStatement = new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        "s3:PutObject",
        "s3:GetEncryptionConfiguration",
        "s3:GetBucketAcl",
        "s3:GetObject",
      ],
      principals: [
        new iam.ServicePrincipal("logdelivery.elb.amazonaws.com"),
        new iam.ServicePrincipal("elasticloadbalancing.amazonaws.com"),
        // new iam.ArnPrincipal("arn:aws:iam::054676820928:root"),
      ],
      resources: [
        `${albLogsBucket.bucketArn}/*`,
        // `arn:aws:s3:::${albLogsBucket.bucketArn}/*`,
        //`arn:aws:s3:::${albLogsBucket.bucketName}/AWSLogs/${this.account}/*`,
      ],
      conditions: {
        StringEquals: {
          "s3:x-amz-acl": "bucket-owner-full-control",
        },
      },
    });

Bucket creation with aws console and JSON policy could not be imported I've also added the s3 Bucket manually over the aws console and added the bucket policy via json like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::054676820928:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::albrelayerbucketmanual/*"
        },
    ]
}

I took that approach to add the elb-account-id from here. But then I cannot import the s3 bucket into my cdk with the code below as it always returns TypeError: Cannot read properties of undefined (reading 'shouldSynthesize').

    const albLobgsBucket = s3.Bucket.fromBucketAttributes(
      this,
      "AlbLogsBucket",
      {
        bucketArn: "arn:aws:s3:::albrelayerbucketmanual",
        bucketName: "albrelayerbucketmanual",
        region: "eu-central-1",
      }
    );

    relayerLoadBalancer.logAccessLogs(albLogsBucket);

I also have the s3 endpoint added to my vpc:

vpc.addGatewayEndpoint("S3Endpoint", {
     service: GatewayVpcEndpointAwsService.S3,
});

Or how else would I set the s3Bucket as argument for "loadBalancer.logAccessLogs(s3Bucket);"?

1

There are 1 answers

1
moerv9 On BEST ANSWER
const albLogsBucket = new s3.Bucket(this, "AlbLogsBucket", {
  removalPolicy: RemovalPolicy.RETAIN,
  encryption: s3.BucketEncryption.S3_MANAGED,
});
albLogsBucket.grantReadWrite(taskDefinition.taskRole);
albLogsBucket.grantPut(taskDefinition.taskRole);
albLogsBucket.grantPutAcl(taskDefinition.taskRole);
FargateService.loadBalancer.logAccessLogs(albLogsBucket);

This worked from within CDK! Since all above handwritten policies failed, I guess the missing pieces were the last two lines, which allows to edit the Access Control Lists and to put Objects into the s3 buckets and not only read and write permission.

They need to be assigned to the task Role of the taskDefinition since this taskDefinition will be passed to the FargateService. Lastly the loadbalancer needs to be told that it can save the access logs in the newly created s3 bucket.