Enable access logs for your Network Load Balancer - Elastic Load Balancing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable access logs for your Network Load Balancer

When you enable access logging for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.

Bucket requirements

You can use an existing bucket, or create a bucket specifically for access logs. The bucket must meet the following requirements.

Requirements
  • The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.

  • The prefix that you specify must not include AWSLogs. We add the portion of the file name starting with AWSLogs after the bucket name and prefix that you specify.

  • The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket.

Example bucket policy

The following is an example policy. For the Resource elements, replace amzn-s3-demo-destination-bucket with the name of the S3 bucket for your access logs. Be sure to omit the Prefix/ if you are not using a bucket prefix. For aws:SourceAccount, specify the ID of the Amazon account with the load balancer. For aws:SourceArn, replace region and 012345678912 with the Region and account ID of the load balancer, respectively.

{ "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite", "Statement": [ { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket", "Condition": { "StringEquals": { "aws:SourceAccount": ["012345678912"] }, "ArnLike": { "aws:SourceArn": ["arn:aws-cn:logs:region:012345678912:*"] } } }, { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket/Prefix/AWSLogs/account-ID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": ["012345678912"] }, "ArnLike": { "aws:SourceArn": ["arn:aws-cn:logs:region:012345678912:*"] } } } ] }
Encryption

You can enable server-side encryption for your Amazon S3 access log bucket in one of the following ways:

  • Amazon S3-Managed Keys (SSE-S3)

  • Amazon KMS keys stored in Amazon Key Management Service (SSE-KMS) †

† With Network Load Balancer access logs, you can't use Amazon managed keys, you must use customer managed keys.

For more information, see Specifying Amazon S3 encryption (SSE-S3) and Specifying server-side encryption with Amazon KMS (SSE-KMS) in the Amazon S3 User Guide.

The key policy must allow the service to encrypt and decrypt the logs. The following is an example policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] }

Configure access logs

Use the following procedure to configure access logs to capture request information and deliver log files to your S3 bucket.

To enable access logging using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Load Balancers.

  3. Select the name of your load balancer to open its details page.

  4. On the Attributes tab, choose Edit.

  5. On the Edit load balancer attributes page, do the following:

    1. For Monitoring, turn on Access logs.

    2. Choose Browse S3 and select a bucket to use. Alternatively, enter the location of your S3 bucket, including any prefix.

    3. Choose Save changes.

To enable access logging using the Amazon CLI

Use the modify-load-balancer-attributes command.