Assign ELB Account to S3 Bucket Policy

I used the AWS console from the load balancer edit attributes screen and used it to create a bucket to use for access logging. I'm using this policy to form CDK code in typescript to stand up new S3 buckets to use for access logging in higher level environments where I cannot use the console. This is the policy I need to somehow form in typescript CDK code:

"Statement": [
    "Principal": {
        "AWS": "arn:--ELB-arnstuff--:root"
    "Action": "s3:PutObject",
    "Resource": "arn:--S3-Bucket-arnstuff--/AWSLogs/123456789/*"

I've managed to get the cdk code figured out to this point:

    new cdk.aws_iam.PolicyStatement({ 
      effect: awsIam.Effect.ALLOW,
      principals: //'**This is part I haven't figured out**',
      actions: ['s3:PutObject'],
      resources: ['${bucket.bucketArn}/*']

At this point I don't care if it's hard coded in the CDK, I just need something to help keep the ball rolling forward. Any help is appreciated, thanks

2 answers

  • answered 2022-05-06 23:06 Marcin

    The bucket policy, along with aws accounts to be used are described in aws docs:

    Region  Region name     Elastic Load Balancing account ID
    us-east-1   US East (N. Virginia)   127311923021
    us-east-2   US East (Ohio)  033677994240
    us-west-1   US West (N. California)     027434742980
    us-west-2   US West (Oregon)    797873946194
    af-south-1  Africa (Cape Town)  098369216593
    ca-central-1    Canada (Central)    985666609251
    eu-central-1    Europe (Frankfurt)  054676820928
    eu-west-1   Europe (Ireland)    156460612806
    eu-west-2   Europe (London)     652711504416
    eu-south-1  Europe (Milan)  635631232127
    eu-west-3   Europe (Paris)  009996457667
    eu-north-1  Europe (Stockholm)  897822967062
    ap-east-1   Asia Pacific (Hong Kong)    754344448648
    ap-northeast-1  Asia Pacific (Tokyo)    582318560864
    ap-northeast-2  Asia Pacific (Seoul)    600734575887
    ap-northeast-3  Asia Pacific (Osaka)    383597477331
    ap-southeast-1  Asia Pacific (Singapore)    114774131450
    ap-southeast-2  Asia Pacific (Sydney)   783225319266
    ap-southeast-3  Asia Pacific (Jakarta)  589379963580
    ap-south-1  Asia Pacific (Mumbai)   718504428378
    me-south-1  Middle East (Bahrain)   076674570225
    sa-east-1   South America (São Paulo)   507241528517
    us-gov-west-1*  AWS GovCloud (US-West)  048591011584
    us-gov-east-1*  AWS GovCloud (US-East)  190560391635
    cn-north-1*     China (Beijing)     638102146993
    cn-northwest-1*     China (Ningxia)     037604701340

  • answered 2022-05-07 15:16 JKK

    I figured out why it didn't work initially when I tried to do a .fromJson and just take the AWS generated policy and consume it directly into the CDK. The addToResourcePolicy function expects only one object at a time. The AWS generated policy had 3 objects in it. When I tried to use .fromJson I was passing too many objects at once.

    In my snippet above I only provided one of those and I was trying to find the cdk equivalent Principal object to use for an AWS ELB Account. I found a work around by using the .fromJson for just this one policy object:

        "Principal": {
          "AWS": "arn:--ELB-arnstuff--:root"
        "Action": "s3:PutObject",
        "Resource": "arn:--S3-Bucket-arnstuff--/AWSLogs/123456789/*"

    Note the removal of the new operator when consuming a Json object and if you're running into the issue I had with multiple policies you'll need to create a bucket.addToResourcePolicy block of code for each of the Json object policies you wish to apply.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum