Cloudfront Distribution S3 logging not working

Question

I have set up a cloudfront distribution one year ago... and I had s3 logging enabled on it, and linked an s3 bucket named "cloudfront-s3".

• Now I went back to check, and saw that the logs are not being sent to that bucket at all.

• I cannot seem to find the problem or cause of WHY this is happening.

• Any help would be appreciated.

Answer 1

in our case we are using custom KMS Keys for the target logging bucket. For that the key permissions need to be extended see here: https://repost.aws/knowledge-center/cloudfront-logging-requests and https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

{
"Sid": "Allow CloudFront to use the key to deliver logs",
"Effect": "Allow",
"Principal": {
    "Service": "delivery.logs.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"

}

Answer 2

The following Terraform will re-enable the ACL for CloudFront:

data aws_cloudfront_log_delivery_canonical_user_id current {}
data aws_canonical_user_id current {}


resource aws_s3_bucket access_logs {
  bucket = "my-access-logs"
}

resource aws_s3_bucket_acl access_logs {
  bucket = aws_s3_bucket.access_logs.id

  access_control_policy {
    grant {
      grantee {
        id   = data.aws_cloudfront_log_delivery_canonical_user_id.current.id
        type = "CanonicalUser"
      }
      permission = "FULL_CONTROL"
    }
    owner {
      id = data.aws_canonical_user_id.current.id
    }
  }
}

I ran into this issue after updating my Terraform aws_s3_bucket resource to replace the deprecated logging, versioning, etc... attributes. Unfortunately, I didn't notice it until long after I made the update.

The cloudfront_log_delivery_canonical_user_id documentation is a good reference.

Answer 3

I was able to solve this problem, by disabling logging on the cloudfront distribution and then again enabling it back again.