DEV Community

Atsushi Suzuki
Atsushi Suzuki

Posted on

Enabling Access Logs for AWS ELB (ALB) with Terraform

#webdev #aws #terraform #beginners

While attempting to enable access logs for an Application Load Balancer (ALB) in AWS, I encountered a permissions error due to insufficient S3 bucket permissions. The error highlighted the need for proper bucket policy settings, which I had initially overlooked.

│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:ap-northeast-1:************:loadbalancer/app/alb-prod/fbbd3f2304ff9285) attributes: InvalidConfigurationRequest: Access Denied for bucket: logs-prod. Please check S3 bucket permission
Enter fullscreen mode Exit fullscreen mode

Upon reviewing the official documentation, I realized that I had missed configuring the bucket policy.

Official AWS Documentation on Enabling Access Logging

Here's how I resolved the error using Terraform, which might be helpful if you encounter a similar issue.

S3 Bucket Setup

I used the bucket name logs-prod and the prefix alb/alb-prod. The number 582318560864 represents the AWS account ID for ELB in the Tokyo region. Replace <account-id> with your own AWS account ID.

resource "aws_s3_bucket" "logs_prod" {
  bucket = "logs-prod"

  tags = {
    Environment = "prod"
  }
}

resource "aws_s3_bucket_policy" "logs_prod_policy" {
  bucket = aws_s3_bucket.logs_prod.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::582318560864:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::logs-prod/alb/alb-prod/AWSLogs/<account-id>/*"
    }
  ]
}
POLICY
}
Enter fullscreen mode Exit fullscreen mode

ALB Configuration

I added an access_logs block to the ALB setup to enable logging, specify the bucket name, and set the prefix.

resource "aws_lb" "alb_prod" {
  name                       = "alb-prod"
  internal                   = false
  load balancer_type         = "application"
  security_groups            = [var.security_group_elb_sg_id]
  subnets                    = [var.subnet_public_1a_id, var.subnet_public_1c_id]
  enable_deletion_protection = true
  preserve_host_header       = true

  access_logs {
    enabled  = true
    bucket  = "logs-prod"
    prefix  = "alb/alb-prod"
  }

  tags = {
    Environment = "prod"
  }
}
Enter fullscreen mode Exit fullscreen mode

By applying these settings, I ensured correct and secure logging from the ALB to the specified S3 bucket.

Top comments (0)

Read next

jacobsternx profile image

Day 69 / 100 Days of Code: Bug Hunting in JavaScript

Jacob Stern -

mathuraditya7 profile image

Hono for Express Developers: A Modern Alternative for Edge Computing

Aditya Mathur -

enna profile image

Top 5 Best Practices for AWS Cost Allocation Tags in 2024

Ena Vaghela -

gbhorwood profile image

nginx: putting your site in ‘downtime’ for everyone except you

grant horwood -