Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Application Load Balancer, LogAccessLogs doesnt follow best practise

See original GitHub issue

Describe the bug The policy generated by the LogAccessLogs method allows too wide of a permission on a prefix of loadbalancer

${log-bucket.Arn}/loadbalancer* vs ${log-bucket.Arn}/arn:aws:s3:::${log-bucket}/loadbalancer/AWSLogs/${AWS::AccountId}/*

To Reproduce Create a ALB and call LogAccessLogs on it, with a bucket Generates a bucket policy with ${log-bucket.Arn}/loadbalancer*

Expected behavior Generate a bucket policy with ${log-bucket.Arn}/arn:aws:s3:::${log-bucket}/loadbalancer/AWSLogs/${AWS::AccountId}/*

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Version:

  • OS - Win 10
  • Programming Language - CSharp
  • CDK Version - 0.28

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
McDoitcommented, Jun 19, 2019

I think that can be up to the usre to add a less restrictive policy for those rare cases?

AWS writes it like this:

For Amazon Resource Name (ARN), type the ARN of your S3 bucket in the following format. For aws-account-id, specify the ID of the AWS account that owns the load balancer (for example, 123456789012). Do not specify a wildcard for the account ID, as this would allow any other account to write access logs to your bucket. To use a single bucket to store access logs from load balancers in multiple accounts, specify one ARN per account in the bucket policy, using the corresponding AWS account ID in each ARN.

arn:aws:s3:::bucket/prefix/AWSLogs/aws-account-id/*

Otherwise anyone can send data to the bucket

1reaction
McDoitcommented, Jun 18, 2019

Feel free, havnt digged down anything in it yet

Read more comments on GitHub >

github_iconTop Results From Across the Web

Access logs for your Application Load Balancer
Elastic Load Balancing publishes a log file for each load balancer node every 5 minutes. Log delivery is eventually consistent. The load balancer...
Read more >
What you need to know about ELB logs - Coralogix
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each ELB log ...
Read more >
Best Practices for Analyzing Elastic Load Balancer Logs
Learn these tips and best practices for setting up and analyzing EC2 and Elastic Load Balancer logs to optimize performance and scalability.
Read more >
Manage Your AWS EKS Load Balancer Like a Pro | by Meysam
Configure your AWS Load Balancer using Kubernetes IngressClass and Ingress resources with ... This will turn on logging Load Balancer's access logs to...
Read more >
Enable access logs for your Application Load Balancer
Verify bucket permissions · Select the name of the bucket that you specified for access logs. · Navigate to the test file, ELBAccessLogTestFile...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Response limit of 4k for CloudFormation Custom Resources

Next page

Tags not working after version 0.34.0