AWS IAM Policy for S3 Output Plugin

Extending the S3 output requires PutObject on * Resources, this post is created for other people to setup the IAM policy for S3 output plugin.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LogstashPutObject",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "LogstashDeleteTestObject",
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::mybucket/logstash-programmatic-access-test-object-*"
        }
    ]
}

The plugin simply requires the PutObject permission on the whole bucket to work. However, this will leave a "programmatic access test objects" on the bucket every time Logstash starts. Including the DeleteObject permission will solve the issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.