How do I troubleshoot S3 related errors while setting up ELB access logging?
I'm getting an error while setting up Elastic Load Balancing (ELB) access logs using an Amazon Simple Storage Service (Amazon S3) bucket.
Short description
To use access logs with your load balancer, the load balancer and the Amazon S3 bucket must be in the same account. You must also attach a bucket policy to the Amazon S3 bucket that allows ELB permission to write to the bucket. Depending on the error message that you receive, see the related resolution section.
Note: Network Load Balancers (NLB) support access logs only for Transport Layer Security (TLS) listeners. The log contains information about TLS requests made to the Network Load Balancer. Transmission Control Protocol (TCP) is not supported.
Resolution
"S3Bucket: my-access-log-bucket is not located in the same region with ELB: app/my-load-balancer/50dc6c495c0c9188"
This error indicates that your Amazon S3 bucket and load aren't located in the same AWS Region. The Amazon S3 bucket can be in a different Region but must be in the same account as the load balancer.
"Access Denied for bucket: my-access-log-bucket. Please check S3bucket permission"
This error indicates that the Amazon S3 bucket doesn't have a policy that grants permission to write the access logs.
To resolve this error, verify that the bucket policy grants permission to write logs to your bucket. Confirm that you have the correct placeholders for the name and prefix of your bucket. Confirm you have the correct ID of the AWS account for Elastic Load Balancing, based on the Region for your load balancer.
For more information on the required permissions, see:
- Application Load Balancer: Bucket permissions
- Network Load Balancer: Bucket requirements
- Classic Load Balancer: Attach a policy to your S3 bucket
Server-side encryption with Amazon S3 managed keys (SSE-S3) can be used to encrypt access logs for ELB. Additionally, Network Load Balancers support AWS Key Management Service (AWS KMS) customer managed keys to encrypt access logs. You can't use AWS KMS managed keys for encrypting ELB access logs.
"The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again."
If you receive this error, verify that your access logs bucket prefix doesn't include "AWSLogs."
Additional troubleshooting
If you verified your S3 bucket policy and configuration but still can't view logs, verify that the load balancer is receiving traffic. To verify whether the load balancer is receiving traffic, check the ActiveConnectionCount and RequestCount metrics.
Hello,
There is a statement here were it is mentioned "To use access logs with your load balancer, the load balancer and the Amazon S3 bucket must be in the same account. "
The documentation is mentioning a contradictory statement "The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts." [+] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#access-log-create-bucket
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 4 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 10 months ago
