How do I prepare an S3 bucket to receive S3 logs?

I’m using Terraform to create two S3 buckets, one to contain my website and a second bucket to store logs generated by S3. My trouble is that I’m not sure how to prepare the second bucket to allow S3 to write logs into it. My declaration looks something like this:

resource "aws_s3_bucket" "website" {
  bucket = "website"
  acl = "private"

  logging {
    target_bucket = "${}"
    target_prefix = "s3/"

resource "aws_s3_bucket" "logs" {
  bucket = "logs
  acl = "private"

But when I try to apply this configuration, terraform gives me a reasonable error.

1 error occurred:

  • 1 error occurred:
  • Error putting S3 logging: InvalidTargetBucketForLogging: You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

I found a relevant question on Stack Overflow, but the top voted answer has a comment about needing to “tighten this up” so I don’t feel comfortable copying the answer there.

Amazon has pretty good instructions for granting access to the Log Delivery Group, but of course that doesn’t really help when using Terraform.

Never mind, I found the answer right after submitting this question. I need to use the acl property on the bucket to choose log-delivery-write as the ACL, which is one of the Canned ACLs defined by Amazon.

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-log-bucket"
  acl    = "log-delivery-write"

And here’s exactly which permissions end up being granted.

The LogDelivery group gets WRITE and READ_ACP permissions on the bucket.

I found my answer here:

1 Like