How do I troubleshoot S3 related errors while setting up ELB access logging?
Last updated: 2022-11-11
I'm getting an error while setting up Elastic Load Balancing (ELB) access logs using an Amazon Simple Storage Service (Amazon S3) bucket. How do I troubleshoot this?
To use access logs with your load balancer, the load balancer and the Amazon S3 bucket must be in the same account. You must also attach a bucket policy to the Amazon S3 bucket that allows ELB permission to write to the bucket. Depending on the error message you receive, see the related resolution section.
Note: Network Load Balancers (NLB) support access logs only for Transport Layer Security (TLS) listeners. The log contains information about TLS requests made to the Network Load Balancer. Transmission Control Protocol (TCP) is not supported.
"S3Bucket: my-access-log-bucket is not located in the same region with ELB: app/my-load-balancer/50dc6c495c0c9188"
This error indicates that your Amazon S3 bucket and load aren't located in the same Region. The Amazon S3 bucket can be in a different Region but must be in the same account as the load balancer.
"Access Denied for bucket: my-access-log-bucket. Please check S3bucket permission"
This error indicates that the Amazon S3 bucket doesn't have a policy that grants permission to write the access logs.
To resolve this error, verify that the bucket policy grants permission to write logs to your bucket. Confirm that you have the correct placeholders for the name and prefix of your bucket. Confirm you have the correct ID of the AWS account for Elastic Load Balancing, based on the Region for your load balancer.
For more information on the required permissions, see:
- Application Load Balancer: Bucket permissions
- Network Load Balancer: Bucket requirements
- Classic Load Balancer: Attach a policy to your S3 bucket
The Amazon S3-Managed Key option can be used to encrypt access logs for all types of ELB. Additionally, Network Load Balancers support AWS KMS customer managed keys to encrypt access logs. You can't use AWS KMS AWS Managed Key for encrypting ELB access logs.
"The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again."
If you receive this error, verify that your access logs bucket prefix doesn't include "AWSLogs."
If you verified your S3 bucket policy and configuration but still can't view logs, verify that the load balancer is receiving traffic. To verify whether the load balancer is receiving traffic, check the ActiveConnectionCount and RequestCount metrics.