Terraform ELB S3 Permissions: Troubleshooting Guide

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

To enable your AWS Application Load Balancer (ALB) to write access logs to an S3 bucket, you need to configure the correct permissions. Here's a breakdown of the process: First, ensure your S3 bucket resides in the same AWS region as your ALB and enable Amazon S3-Managed Encryption Keys (SSE-S3) for your bucket, which is a requirement for ALB access logs. Second, grant the ALB service permission to write logs to your bucket by using an aws_s3_bucket_policy resource in your Terraform code to attach a policy to your S3 bucket. Within the policy, specify an aws:SourceArn condition to limit access to the specific ARN of your ALB, enhancing security. Third, in your ALB configuration, specify the name of your S3 bucket where logs should be stored and provide the desired prefix if you want to organize logs within a specific folder in your bucket. Lastly, be aware of common issues such as permissions errors, regional constraints, and the SSE-S3 requirement. By following these steps and addressing potential issues, you can successfully configure your ALB to send access logs to your designated S3 bucket.

Step-by-Step Guide

To enable your AWS Application Load Balancer (ALB) to write access logs to an S3 bucket, you need to configure the correct permissions. Here's a breakdown of the process:

Bucket Location and Encryption:
- Ensure your S3 bucket resides in the same AWS region as your ALB.
- Enable Amazon S3-Managed Encryption Keys (SSE-S3) for your bucket. This is a requirement for ALB access logs.
S3 Bucket Policy:
- You need to grant the ALB service permission to write logs to your bucket.
- Use an aws_s3_bucket_policy resource in your Terraform code to attach a policy to your S3 bucket.
- Within the policy, specify an aws:SourceArn condition to limit access to the specific ARN of your ALB. This enhances security by restricting access to only your ALB.
ALB Configuration:
- In your ALB configuration, specify the name of your S3 bucket where logs should be stored.
- If you want to organize logs within a specific folder (prefix) in your bucket, provide the desired prefix. Otherwise, leave it empty to store logs at the root level.
Common Issues:
- Permissions Errors: The most frequent errors occur due to incorrect S3 bucket policies. Double-check that the policy explicitly allows the ALB's ARN to write to the bucket.
- Regional Constraints: Ensure your bucket and ALB are in the same AWS region.
- SSE-S3 Requirement: Confirm that server-side encryption using SSE-S3 is enabled for your S3 bucket.

By following these steps and addressing potential issues, you can successfully configure your ALB to send access logs to your designated S3 bucket.

Code Example

This Terraform code sets up an S3 bucket with appropriate security policies to store access logs from an Application Load Balancer (ALB). It creates the bucket, configures it for server-side encryption, and grants the ALB permission to write logs to it. The code also defines an ALB and enables access logging, specifying the S3 bucket and an optional prefix for organizing log files. This ensures secure and organized storage of ALB access logs for monitoring and analysis.

# Create an S3 bucket for ALB access logs
resource "aws_s3_bucket" "alb_logs_bucket" {
  bucket = "your-alb-logs-bucket-name"
  acl    = "private"

  # Enforce server-side encryption with S3-managed keys (SSE-S3)
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  # Ensure the bucket is created in the same region as your ALB
  # Replace 'us-west-2' with your desired region
  force_destroy = false
  region        = "us-west-2"
}

# Create an S3 bucket policy to grant ALB write access
resource "aws_s3_bucket_policy" "alb_logs_bucket_policy" {
  bucket = aws_s3_bucket.alb_logs_bucket.id

  # Define the policy document
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.alb_logs_bucket.id}/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:elasticloadbalancing:${var.region}:${var.account_id}:loadbalancer/${aws_lb.alb.arn}"
        }
      }
    }
  ]
}
POLICY
}

# Create an Application Load Balancer
resource "aws_lb" "alb" {
  name               = "my-alb"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.alb_sg.id]
  subnets            = [aws_subnet.public_subnet_1.id, aws_subnet.public_subnet_2.id]

  # ... other ALB configurations ...

  # Enable access logs and specify the S3 bucket
  access_logs {
    bucket  = aws_s3_bucket.alb_logs_bucket.bucket
    enabled = true
    # Optional: Specify a prefix for organizing logs within the bucket
    prefix = "alb-logs"
  }
}

Explanation:

S3 Bucket Creation:
- The code creates an S3 bucket named your-alb-logs-bucket-name (replace with your desired name).
- It sets the ACL to private for security.
- It enables server-side encryption using SSE-S3, which is mandatory for ALB access logs.
- It ensures the bucket is created in the same region as your ALB (replace us-west-2 with your region).
S3 Bucket Policy:
- The code defines an S3 bucket policy using aws_s3_bucket_policy.
- The policy grants the delivery.logs.amazonaws.com service (used by ALB) permission to write objects (s3:PutObject) to the bucket.
- It includes a condition to restrict access to the specific ARN of your ALB, enhancing security.
ALB Configuration:
- The code defines an Application Load Balancer named my-alb.
- Within the access_logs block:
  - It enables access logging by setting enabled = true.
  - It specifies the S3 bucket name (bucket) where logs should be stored.
  - It optionally sets a prefix (prefix) to organize logs within the bucket.

Important:

Replace placeholders like your-alb-logs-bucket-name, us-west-2, and my-alb with your actual values.
Ensure your ALB and S3 bucket are in the same AWS region.
This code assumes you have already defined other necessary resources like security groups and subnets.

By implementing this code, your ALB will be able to write access logs to your designated S3 bucket with the appropriate security measures in place.

Additional Notes

Log Format: ALB access logs follow a predefined format. Familiarize yourself with this format to effectively analyze the logs. You can customize the log format using fields documented in the AWS documentation.
Log Rotation: S3 doesn't automatically rotate logs. Consider using lifecycle policies on your S3 bucket to transition older logs to cheaper storage classes (e.g., S3 Glacier) or delete them after a certain period.
Centralized Logging: For managing logs from multiple ALBs, create a centralized S3 bucket and configure all your ALBs to send logs to this bucket. Use prefixes to distinguish logs from different ALBs.
Security Best Practices:
- Follow the principle of least privilege when defining S3 bucket policies. Grant only the necessary permissions.
- Enable S3 access logging on the logging bucket itself to track any unauthorized access attempts.
- Consider integrating with AWS CloudTrail to log all API calls made to your AWS account, including those related to ALB and S3.
Monitoring and Analysis:
- Leverage tools like Amazon Athena, Amazon CloudWatch Logs Insights, or third-party log management solutions to query, analyze, and visualize your ALB access logs.
- Set up CloudWatch alarms based on log metrics to get notified of unusual traffic patterns or potential issues.
Alternatives to S3: While S3 is a common choice, you can also configure your ALB to stream access logs to CloudWatch Logs or an HTTP/HTTPS endpoint. Evaluate these options based on your specific logging and monitoring requirements.
Cost Optimization: Be mindful of the potential costs associated with S3 storage, data transfer, and log analysis. Estimate your log volume and choose appropriate storage classes and analysis tools to optimize costs.

Summary

This guide outlines the process of enabling an AWS Application Load Balancer (ALB) to write access logs to an S3 bucket.

Step	Description	Key Points
1. Bucket Setup	Prepare the S3 bucket for receiving logs.	- Bucket must reside in the same AWS region as the ALB. - Enable SSE-S3 encryption on the bucket (mandatory).
2. Bucket Policy	Grant the ALB permission to write to the bucket.	- Use an `aws_s3_bucket_policy` resource in Terraform. - Specify the ALB's ARN in an `aws:SourceArn` condition for security.
3. ALB Configuration	Configure the ALB to send logs to the bucket.	- Specify the S3 bucket name. - Optionally, define a prefix (folder) within the bucket for log organization.
4. Troubleshooting	Address common configuration issues.	- Verify S3 bucket policy grants write access to the ALB's ARN. - Ensure the bucket and ALB are in the same AWS region. - Confirm SSE-S3 encryption is enabled on the bucket.

By following these steps, you can successfully configure your ALB to send access logs to your designated S3 bucket for analysis and monitoring.

Conclusion

In conclusion, enabling AWS ALB access logs to an S3 bucket is crucial for monitoring and troubleshooting your applications. By ensuring the bucket and ALB are in the same region, enabling SSE-S3 encryption, setting up appropriate bucket policies, and configuring your ALB correctly, you can successfully capture and analyze access logs. Remember to address common issues related to permissions, regional constraints, and encryption. Leverage this information to enhance your application's observability, security, and performance.

References

Creating an AWS IAM policy to write ALB access logs to S3? : r ... | Posted by u/friday963 - No votes and 2 comments
amazon web services - Terraform Failure configuring LB attributes ... | Feb 7, 2020 ... While it makes it seem like it's a permissions issue with the error ... Terraform ELB S3 Permissions Issue. Related. 1 · terraform plan throws ...
aws_s3_bucket_policy | Resources | hashicorp/aws | Terraform ... | Attaches a policy to an S3 bucket resource. Note: Policies can be attached to both S3 general purpose buckets and S3 directory buckets.
Configure S3 to store load balancer logs using Terraform | If you’ve ever encountered the following error (or similar) when setting up an AWS load balancer to write its logs to an s3 bucket using Terraform then you are not alone. I decided to write …
aws_lambda_permission | Resources | hashicorp/aws | Terraform ... | ELB (Elastic Load Balancing). ELB Classic. EMR ... Gives an external source (like an EventBridge Rule, SNS, or S3) permission to access the Lambda function.
Aws application load balancer cannot enable access logs via ... | I have an application load balancer and I’m trying to enable logging, terraform code below: resource "aws_s3_bucket" "lb-logs" { bucket = "yeo-messaging-${var.environment}-lb-logs" } resource "aws_s3_bucket_acl" "lb-logs-acl" { bucket = aws_s3_bucket.lb-logs.id acl = "private" } resource "aws_lb" "main" { name = "main" internal = false load_balancer_type = "application" security_groups = [aws_security_group.public.i...
[Bug]: unnecessary S3 permission from elasticbeanstalk · Issue ... | Terraform Core Version 1.5.5 AWS Provider Version 5.10.0 Affected Resource(s) When running terraform plan in our ci/cd pipeline which has been restricted with minimum set of permission, we get an e...
aws_s3_bucket_acl | Resources | hashicorp/aws | Terraform ... | permission - (Required) Logging permissions assigned to the grantee for the bucket. Valid values: FULL_CONTROL , WRITE , WRITE_ACP , READ , READ_ACP . See What ...
AWS ELB ModifyLoadBalancerAttributes omits required parameter ... | When configuring an Elastic Load Balancer to emit access logs to an S3 bucket, if you wish to emit the logs to the root of the target bucket, you specify the parameter bucket_prefix to be an empty ...