How do I troubleshoot permission issues when uploading Elastic Load Balancing access logs to an Amazon S3 bucket?

Last updated: 2022-05-16

I'm uploading Elastic Load Balancing access logs to an Amazon Simple Storage Service (Amazon S3) bucket and getting errors. How do I troubleshoot this?

Short description

To use access logs with your load balancer, the load balancer and the Amazon S3 bucket must be in the same account. You must also attach a bucket policy to the Amazon S3 bucket that allows ELB permission to write to the bucket. Depending on the error message you receive, see the related resolution section.

Note: Network Load Balancers (NLB) support access logs only for Transport Layer Security (TLS) listeners. The log contains information about TLS requests made to the Network Load Balancer. Transmission Control Protocol (TCP) is not supported.

Resolution

"S3Bucket: my-access-log-bucket is not located in the same region with ELB: app/my-load-balancer/50dc6c495c0c9188"

This error indicates that your Amazon S3 bucket and load aren't located in the same Region. The Amazon S3 bucket can be in a different Region but must be in the same account as the load balancer.

"Access Denied for bucket: my-access-log-bucket. Please check S3bucket permission"

This error indicates that the Amazon S3 bucket doesn't have a policy that grants permission to write the access logs.

To resolve this error, verify that the bucket policy grants permission to write logs to your bucket. Confirm that you have the correct placeholders for the name and prefix of your bucket. Confirm you have the correct ID of the AWS account for Elastic Load Balancing, based on the Region for your load balancer.

For more information on the required permissions, see:

If you're using an encrypted bucket, make sure to use an Amazon S3-managed encryption key (SSE-S3). Other encryption methods, such as AWS KMS keys, are not supported for Network Load Balancer access logs.

"The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again."

If you receive this error, verify that your access logs bucket prefix doesn't include "AWSLogs."

Additional troubleshooting

If you verified your S3 bucket policy and configuration and still can't view logs, verify that the load balancer is receiving traffic. To verify whether the load balancer is receiving traffic, check the ActiveConnectionCount and RequestCount metrics.


Did this article help?


Do you need billing or technical support?