AWS IAM Policy for S3 Output Plugin

cytim · October 23, 2019, 6:49am

Extending the S3 output requires PutObject on * Resources, this post is created for other people to setup the IAM policy for S3 output plugin.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LogstashPutObject",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "LogstashDeleteTestObject",
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::mybucket/logstash-programmatic-access-test-object-*"
        }
    ]
}

The plugin simply requires the PutObject permission on the whole bucket to work. However, this will leave a "programmatic access test objects" on the bucket every time Logstash starts. Including the DeleteObject permission will solve the issue.

system · November 20, 2019, 6:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
S3 output requires PutObject on * Resources Logstash	7	2113	November 13, 2017
Logstash s3 input with iam role Logstash	5	4896	September 21, 2017
S3 output using iam roles that gives access to aws security credentials Logstash	2	2765	July 6, 2017
Bug when attempting to use logstash-output-s3 with encryption Logstash	2	1763	July 14, 2017
Logstash S3 output requires bucket object permissions at the root of the bucket, regardless of prefix config Logstash	1	1559	February 7, 2022

AWS IAM Policy for S3 Output Plugin

Related Topics