Allow ALBs to log to the meta bucket

paradisec-archive · Feb 26, 2025 · a8d502b · a8d502b
1 parent eb078af
commit a8d502b
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/cdk/lib/main-stack.ts b/cdk/lib/main-stack.ts
@@ -101,6 +101,20 @@ export class MainStack extends cdk.Stack {
       { id: 'AwsSolutions-S1', reason: "This bucket holds logs for other buckets and we don't want a loop" },
     ]);
 
+    // Allow ALBs to log
+    const albLogBucketPolicy = new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      principals: [new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com')],
+      actions: ['s3:PutObject'],
+      resources: [`${this.metaBucket.bucketArn}/s3-access-logs/*`],
+      conditions: {
+        StringEquals: {
+          's3:x-amz-acl': 'bucket-owner-full-control',
+        },
+      },
+    });
+    this.metaBucket.addToResourcePolicy(albLogBucketPolicy);
+
     // ////////////////////////
     // Catalog bucket
     // ////////////////////////