Configure AWS Cloudfront to log to S3 bucket in another AWS account
I have some AWS Cloudfront distributions spread out across different AWS accounts.
I'd like to store the access logs from these distributions in a single S3 bucket in a single AWS account.
This is possible, but it isn't documented (that I can find).
It isn't clear what update to the ACL is required on the log bucket, or what (if any) bucket policy is required.
What I seem to need is to update the ACL on the bucket to give FULL_CONTROL to a canonical id of what ever account in the other AWS account that Cloudfront uses to write logs.
If anyone else has configured this and can help, I'd be much obliged.
Solution 1:
(Updated for future reference)
Let's say your CloudFront distribution is in account 123456789012 with logging configured to a bucket your-logging-bucket in a different account.
-
Create a S3 Bucket Policy that gives the CloudFront account 123456789012 permissions to do
s3:GetBucketAclands3:PutBucketAclonyour-logging-bucket.This is the required Bucket Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" << the CloudFront account }, "Action": [ "s3:GetBucketAcl", "s3:PutBucketAcl" ], "Resource": "arn:aws:s3:::your-logging-bucket" } ] } -
With that S3 Bucket Policy in place *create a new CloudFront distribution in account 1223456789012 and in the create wizard enable logging to
your-logging-bucket. Thanks to the above Bucket Policy it will create the appropriate ACLs for you.You can check it that the official CloudFront account
c4c1ede66af...8632f77d2d0has been granted access by viewing S3 -> your-logging-bucket -> Permissions -> ACL
Configure all your other CF distributions in the 123... account to log into
your-logging-bucket- it should now work for all pre-existing CF dists as well.
Hope that helps :)