Enable access logs for your Network Load Balancer
When you enable access logging for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.
Bucket requirements
You can use an existing bucket, or create a bucket specifically for access logs. The bucket must meet the following requirements.
Requirements
-
The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.
-
The prefix that you specify must not include
AWSLogs. We add the portion of the file name starting withAWSLogsafter the bucket name and prefix that you specify. -
The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket.
Example bucket policy
The following is an example policy. For the Resource elements, replace
amzn-s3-demo-destination-bucket with the name of the S3 bucket for
your access logs. Be sure to omit the Prefix/ if you are not using a
bucket prefix. For aws:SourceAccount, specify the ID of the AWS account with the
load balancer. For aws:SourceArn, replace region and
012345678912 with the Region and account ID of the load balancer,
respectively.
{ "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite", "Statement": [ { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "Condition": { "StringEquals": { "aws:SourceAccount": ["012345678912"] }, "ArnLike": { "aws:SourceArn": ["arn:aws:logs:region:012345678912:*"] } } }, { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/Prefix/AWSLogs/account-ID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": ["012345678912"] }, "ArnLike": { "aws:SourceArn": ["arn:aws:logs:region:012345678912:*"] } } } ] }
Encryption
You can enable server-side encryption for your Amazon S3 access log bucket in one of the following ways:
-
Amazon S3-Managed Keys (SSE-S3)
-
AWS KMS keys stored in AWS Key Management Service (SSE-KMS) †
† With Network Load Balancer access logs, you can't use AWS managed keys, you must use customer managed keys.
For more information, see Specifying Amazon S3 encryption (SSE-S3) and Specifying server-side encryption with AWS KMS (SSE-KMS) in the Amazon S3 User Guide.
The key policy must allow the service to encrypt and decrypt the logs. The following is an example policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] }
Configure access logs
Use the following procedure to configure access logs to capture request information and deliver log files to your S3 bucket.
To enable access logging using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Select the name of your load balancer to open its details page.
-
On the Attributes tab, choose Edit.
-
On the Edit load balancer attributes page, do the following:
-
For Monitoring, turn on Access logs.
-
Choose Browse S3 and select a bucket to use. Alternatively, enter the location of your S3 bucket, including any prefix.
-
Choose Save changes.
-
To enable access logging using the AWS CLI
Use the modify-load-balancer-attributes command.
