Enabling Access Logs for AWS ELB (ALB) with Terraform

Atsushi Suzuki - Aug 14 - - Dev Community

While attempting to enable access logs for an Application Load Balancer (ALB) in AWS, I encountered a permissions error due to insufficient S3 bucket permissions. The error highlighted the need for proper bucket policy settings, which I had initially overlooked.

│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:ap-northeast-1:************:loadbalancer/app/alb-prod/fbbd3f2304ff9285) attributes: InvalidConfigurationRequest: Access Denied for bucket: logs-prod. Please check S3 bucket permission
Enter fullscreen mode Exit fullscreen mode

Upon reviewing the official documentation, I realized that I had missed configuring the bucket policy.

Official AWS Documentation on Enabling Access Logging

Here's how I resolved the error using Terraform, which might be helpful if you encounter a similar issue.

S3 Bucket Setup

I used the bucket name logs-prod and the prefix alb/alb-prod. The number 582318560864 represents the AWS account ID for ELB in the Tokyo region. Replace <account-id> with your own AWS account ID.

resource "aws_s3_bucket" "logs_prod" {
  bucket = "logs-prod"

  tags = {
    Environment = "prod"
  }
}

resource "aws_s3_bucket_policy" "logs_prod_policy" {
  bucket = aws_s3_bucket.logs_prod.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::582318560864:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::logs-prod/alb/alb-prod/AWSLogs/<account-id>/*"
    }
  ]
}
POLICY
}
Enter fullscreen mode Exit fullscreen mode

ALB Configuration

I added an access_logs block to the ALB setup to enable logging, specify the bucket name, and set the prefix.

resource "aws_lb" "alb_prod" {
  name                       = "alb-prod"
  internal                   = false
  load balancer_type         = "application"
  security_groups            = [var.security_group_elb_sg_id]
  subnets                    = [var.subnet_public_1a_id, var.subnet_public_1c_id]
  enable_deletion_protection = true
  preserve_host_header       = true

  access_logs {
    enabled  = true
    bucket  = "logs-prod"
    prefix  = "alb/alb-prod"
  }

  tags = {
    Environment = "prod"
  }
}
Enter fullscreen mode Exit fullscreen mode

By applying these settings, I ensured correct and secure logging from the ALB to the specified S3 bucket.

Image
Buy Negative Google Reviews

linux, cloud, kubernetes, testing
Image
Security Information and Event Management (SIEM) And Playbook
Image
Buy LinkedIn Accounts

database, blockchain, machinelearning, news
Image
Unleashing the Future of AI with the NVIDIA H200

gpu, nvidia, ai, cloud
Image
Timed Cards Opening

codepen
Image
Enhancing User Experience with Voice UI Controller Technology

ai, chatgpt, voicebot, voiceui
Image
Buy Verified Paxful Account

opensource, aws, node, css
Image
Buy LinkedIn Accounts

productivity, opensource, aws, node
Image
Build Go Serverless REST APIs and Deploy to AWS using the SAM framework (Amazon Linux 2 Runtime)

aws, cloud, devops, go
Image
Why we use Hooks
Image
Buy Verified Paxful Account

tutorial, react, python, ai
Image
Buy GitHub Accounts

python, devops, productivity, opensource
Image
Top 5 Reasons to Adopt Microservices for Your Business
Image
Buy GitHub Accounts

webdev, javascript, beginners, programming
Image
Buy verified BYBIT account

webdev, javascript, beginners, programming
Image
Setting Up a Simple Counter App with Redux: A Step-by-Step Guide
Image
Daniel Siegel Loanso Reveals How Emotion Transforms Music Performance
Image
Expand Content Reach Using AI for SEO and Translation in Your CMS

ai, cms, translation, seo
Image
Dynamic Button UI onclick using JavaScript

100daysofmiva, frontend, frontendchallenge, javascript
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player