ALB logging to S3 bucket: Access Denied - amazon-s3

Why do I keep getting the following error? I'm simply trying to turn on logging for an application load balancer and specifying an S3 bucket to log to.
I'm logged in as root and have permissions on the bucket set to allow root (me) to perform all operations.

Does its bucket policy allow Elastic Load Balancing account ID?
Attach a policy to your S3 bucket - Enable access logs for your Application Load Balancer - Elastic Load Balancing
For the Regions in the list below, use the following policy, which grants permissions to the specified Elastic Load Balancing account ID.

Related

EC2 instance launched S3 Endpoint subnet unable to list bucket object with endpoint bucket policy

I have created S3endpoint and added it to route table of a subnet.
Subnet has route to internet and able to open AWS console.
Next a bucket is created with bucket policy limiting access to it through VPC endpoint.
I have IAM user which has full permission to this bucket.
When i access the S3 bucket through S3 console webpage there is an error 'Access Denied' but i am able to upload files to the bucket.
Does S3 endpoint imply that only access will be through AWS CLI \SDKs? and console access is limited?
Does S3 endpoint imply that only access will be through AWS CLI \SDKs?
and console access is limited?
My understanding is that any calls done in the AWS Console will not use the endpoint setup within the VPC, even if you're accessing it via an EC2 instance within the VPC. This is because the UI within the AWS Console does not directly access the S3 API Endpoint, but instead goes through a proxy to reach the endpoint.
If you need to access the S3 bucket via the AWS Console, you'll need to amend your bucket policy.

AWS CLI - how to get when the file was changed

A client is uploading data we use to AWS S3. I need to find out when the uploads took place in the last week (or month). How could I go about that? If I use aws s3 ls path I get only the date of the last change.
To obtain historical information about Amazon S3 API calls, you can use AWS CloudTrail.
From Logging Amazon S3 API Calls by Using AWS CloudTrail - Amazon Simple Storage Service:
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3. CloudTrail captures a subset of API calls for Amazon S3 as events, including calls from the Amazon S3 console and from code calls to the Amazon S3 APIs.
To use object-level logging, see: How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events? - Amazon Simple Storage Service

How protect Amazon S3 via Basic Authentification

I am new to S3 and am wonding how I could protect access to S3 or cloud front via Basic Authentification while installing a private certificate into Chrome, that allows access. Is there anything like this?
It is not possible to use Basic Authentication with Amazon S3 nor Amazon CloudFront.
Amazon S3 access can be controlled via one or more of:
Access Control List on the object level
Amazon S3 Bucket Policy
AWS Identity and Access Management (IAM) Policy
Amazon CloudFront has its own method of controlling access via signed URLs and signed cookies.

AWS S3 only allow Cloudfront access

So in order to make it so that S3 objects must be accessed through Cloudfront, the instructions are to go into your Cloudfront distribution settings, then Origins, then set Yes to Restrict Bucket Access. I also select Yes, Update Bucket Policy.
I then go into my S3 bucket and see that the Cloudfront access policy is in place, and that the only permissions present on the bucket is access for my user account.
However, I can still access S3 bucket objects with their respective S3 urls.
The catch is that the objects are created with read permissions for everyone, but shouldn't bucket policy, and even the Cloudfront policy, trump independent object policy?
I would recommend taking a look at Using ACLs and Bucket Policies Together S3 documentation.
With existing Amazon S3 ACLs, a grant always provides access to a
bucket or object. When using policies, a deny always overrides a
grant.

How to share Amazon AWS credentials (S3, EC2, etc)?

I have a personal Amazon account which I use to do a lot of shopping. I also recently linked this account to AWS. Now at work, some guys are doing experiments with Amazon using my account. How can I let them access the admin console, etc without giving them my Amazon credentials. I am not willing to share my Amazon shopping history or other things I use on Amazon, just the cloud services such as EC2 and S3.
What they need is access to the full admin console, and any monitoring tools on AWS.
Use AWS Identity and Access Management (IAM).
AWS Identity and Access Management (IAM) enables you to securely
control access to AWS services and resources for your users. Using IAM
you can create and manage AWS users and groups and use permissions to
allow and deny their permissions to AWS resources