Configure AWS Cloudfront to log to S3 bucket in another AWS account
(Updated for future reference)
Let's say your CloudFront distribution is in account 123456789012 with logging configured to a bucket your-logging-bucket in a different account.
-
Create a S3 Bucket Policy that gives the CloudFront account 123456789012 permissions to do
s3:GetBucketAclands3:PutBucketAclonyour-logging-bucket.This is the required Bucket Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" << the CloudFront account }, "Action": [ "s3:GetBucketAcl", "s3:PutBucketAcl" ], "Resource": "arn:aws:s3:::your-logging-bucket" } ] } -
With that S3 Bucket Policy in place *create a new CloudFront distribution in account 1223456789012 and in the create wizard enable logging to
your-logging-bucket. Thanks to the above Bucket Policy it will create the appropriate ACLs for you.You can check it that the official CloudFront account
c4c1ede66af...8632f77d2d0has been granted access by viewing S3 -> your-logging-bucket -> Permissions -> ACL
Configure all your other CF distributions in the 123... account to log into
your-logging-bucket- it should now work for all pre-existing CF dists as well.
Hope that helps :)
Related videos on Youtube
16 : 26
06 : 34
06 : 35
![[Tutorial] AWS S3 Sync Between Two Buckets From Different Account](https://i.ytimg.com/vi/7KJxK1wrdwc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBSEhG79pKL_JZd3y1a9B2L5dTkOA)
08 : 59
02 : 34
Comments
-
Garreth McDaid over 1 year
I have some AWS Cloudfront distributions spread out across different AWS accounts.I'd like to store the access logs from these distributions in a single S3 bucket in a single AWS account.
This is possible, but it isn't documented (that I can find).
It isn't clear what update to the ACL is required on the log bucket, or what (if any) bucket policy is required.
What I seem to need is to update the ACL on the bucket to give FULL_CONTROL to a canonical id of what ever account in the other AWS account that Cloudfront uses to write logs.
If anyone else has configured this and can help, I'd be much obliged.
-
Michael - sqlbot over 5 yearsThe canonical ID is always
c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0according to docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/…... but I've never tried to store logs cross-account. Seems unlikely. -
Michael - sqlbot over 5 yearsSo it does! Interesting.
-
-
Garreth McDaid over 5 yearsI had tried this and it didn't work, but it more or less is the correct answer. I posed the same question to AWS Support and they advised the following: In the account that owns the S3 bucket, create a temporary CF distribution and enable logging on that to the bucket you wish to use. You can then remove that distribution. This should apply the correct ACL settings for the bucket. Then, create the bucket policy as above. After than, it should be possible to configure logging as required. You suggest that its an either or option, but from what I can see both steps are required.
-
MLu over 5 years@GarrethMcDaid thanks for the comment, I have played with the permissions until I got it working and apparently didn't correctly identify the required steps in the right order :) I have now updated the answer for future reference. Hope it's correct now :) -
Alexander over 2 yearsIf still doesn't work, try to specify FQDN
