How to publish VPC Flow logs to a different account

A few AWS users have raised a question on repost.aws on the following:

• save flow log to a different account
• AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error

This post is to help other users who are facing the same issue.

• The first step: create a bucket with a unique name.

As per AWS's documentation IAM policy for IAM principals that publish flow logs to Amazon S3

We will be using the following substitutions in the following bucket policies:

Parameter	Example
[BucketName]	flowlogstestrandomnumber
[Region]	ap-southeast-2
[AccountB]	123456789101

• Policy from the documentation

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[BucketName]",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": ["s3:GetBucketAcl", "s3:ListBucket"],
            "Resource": "arn:aws:s3:::[BucketName]",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        }
    ]
}

• When we add a bucket policy to send VPC flow logs from AccountA to a S3 bucket in AccountB (different account), we notice the following error:

• The error is caused due to:

"Resource": "arn:aws:s3:::[BucketName]",

• We need to update the bucket policy to allow access to the bucket and the objects within the bucket by updating it as follows:

"Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],

• The final policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "[AccountB]"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
                }
            }
        }
    ]
}

• Create a flow log for a subnet in a VPC and take note of the subnet zone as we are going to launch an EC2 instance in the same subnet to create some traffic.

Note: For a quicker demonstration, let's choose 1 min interval (default is 10 mins)

• The flow Log is created:
  

• Launch an EC2 instance in the same subnet as the flow log.

• After a few minutes, the flow logs are stored in AccountA's S3 bucket and they are prefixed with AccountB's account number.

• Clean Up

  • Terminate EC2 instance
  • Delete the flow log from the subnet
  • Empty the bucket
  • Delete the bucket

• Summary

  • Remember to add both the bucket and the objects within the bucket as resources within the policy.

"Resource": [
                "arn:aws:s3:::[BucketName]",
                "arn:aws:s3:::[BucketName]/*"
            ],

• References
  • Using bucket policies

Comments

[Sri]

It has just come to my attention that Mr Sayed has copied this blog post, practically word for word including images used, and has posted this on his website sayed.work/dev-feed/how-to-publish... without giving me any credit for this content.

I find this extremely frustrating as I have spent several hours researching this information and curating this information for my blog.

The origin of this blog stemmed from the questions on repost.aws/ (links mentioned in the blog).

I have attempted to contact Mr Sayed and give him the opportunity to either take his post down or to give me credit for it. I haven't heard back from him as yet. Will keep you posted regarding this.

[Michael Tharrington]

Hey there,

My name is Michael and I'm a Community Manager at DEV.

We've run into this individual before! It's definitely not cool for them to scrape DEV and repost community member's article likes this.

I'lll see what we can do to help!

[Sri]

Thank you Michael