Enable S3 ACL access for CloudFront logs

Question

What I try to do is to enable Standard Logging for a CloudFront distribution, via AWS console, as in the picture below:

I have set the following S3 Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::931426637260:user/relu"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:PutBucketAcl"
            ],
            "Resource": "arn:aws:s3:::[...]"
        }
    ]
}

"Block all public access" is Off.

Though, I keep getting this error:

The S3 bucket that you specified for CloudFront logs does not enable ACL access: [...].s3.amazonaws.com

I get this error even if I try to enable logging as the root user.

Does anybody have any idea what might be wrong?

Answer 1

I experienced a similar issue when setting up AWS S3 for Cloudfront logs using Terraform AWS S3 module:

│ Error: creating CloudFront Distribution: operation error CloudFront: CreateDistributionWithTags, https response error StatusCode: 400, RequestID: 2cda27dd-105a-4656-b9c3-04ae8af40113, InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: test-bucket.s3.us-east-1.amazonaws.com │ │ with module.cloudfront.aws_cloudfront_distribution.this[0], │ on .terraform\modules\cloudfront\main.tf line 27, in resource "aws_cloudfront_distribution" "this": │ 27: resource "aws_cloudfront_distribution" "this" { │

Here's how I solved:

All I needed to do was to enable control object ownership:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 4.1.1"

  bucket                   = "test-bucket"
  acl                      = "private"
  control_object_ownership = true
  object_ownership         = "ObjectWriter"
  block_public_acls        = true
  block_public_policy      = true
}

Answer 2

For Terraform users:

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

Answer 3

Starting in April 2023, you will need to enable S3 access control lists (ACLs) for new S3 buckets being used for CloudFront standard logs:

(screenshot)

(even though at the same time AWS tells you that it's not recommended to enable ACLs 🤔)

A majority of modern use cases in S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled

So as far as I have been able to determine, there is no way to adhere to the second message/recommendation (disable ACLs), while getting your CloudFront logs in your bucket.

If you're using the UI, see user3429660's answer.

In case someone is looking how to do this in CloudFormation:

  Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred
      [....]

(alternatively use ObjectOwnership: ObjectWriter)

That's all that's needed; even when using CloudFormation, the CloudFront Logger will automatically add itself to the ACLs (as long as they are enabled).

Answer 4

Check that you're not trying to send CloudFront logs to an S3 bucket in an unsupported region.

Yep - that's right, CloudFront doesn't support writing logs to S3 buckets in all regions. This is probably a less common problem, but it snagged me up.

From https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

Important

Don't choose an Amazon S3 bucket in any of the following Regions, because CloudFront doesn't deliver standard logs to buckets in these Regions:

- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Hyderabad)
- Asia Pacific (Jakarta)
- Asia Pacific (Melbourne)
- Europe (Milan)
- Europe (Spain)
- Europe (Zurich)
- Middle East (Bahrain)
- Middle East (UAE)

For the record, the error I was getting from CloudFormation was:

Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: xxxxx.s3.ap-southeast-4.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: 82xex74x-x184-472h-aekl-944276356rfe)'." (RequestToken: aekd4b6e-45ha-489a-013e-6203kl194c21, HandlerErrorCode: AccessDenied)

Answer 5

The reason it isn't working is that the S3 Object Ownership prevents CloudFront from delivering log files to the bucket. The accepted answer is correct, however, it took me a second to get to that setting.

To get to the setting

S3 -> Buckets -> Your_bucket_name -> Permissions -> Object Ownership

The object ownership setting will be a little bit down the page. Hopefully, this helps someone! I'm happy to provide more detail if that would be helpful.

Answer 6

this line from the docs covers your findings:

That setting disables ACLs for the bucket and the objects in it, which prevents CloudFront from delivering log files to the bucket.

ie. ACLs are needed relevant docs are here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

Answer 7

It seems I had to enable ACL here: