AWS Security ChangesHomeSearch

AWS elasticloadbalancing medium security documentation change

Service: elasticloadbalancing · 2025-06-07 · Security-related medium

File: elasticloadbalancing/latest/application/enable-access-logging.md

Summary

Added Asia Pacific (Taipei) region and expanded S3 bucket policy examples to explicitly allow log delivery service principal. Provided guidance on using aws:PrincipalServiceNamesList condition instead of NotPrincipal.

Security assessment

The change addresses potential misconfigurations in S3 bucket policies that could block access logging by providing explicit guidance on allowing logdelivery.elasticloadbalancing.amazonaws.com. The recommendation to avoid NotPrincipal (known to be error-prone) and use condition keys instead improves security posture by reducing risk of unintended access denials.

Diff

diff --git a/elasticloadbalancing/latest/application/enable-access-logging.md b/elasticloadbalancing/latest/application/enable-access-logging.md
index a167becb1..1d08b6612 100644
--- a//elasticloadbalancing/latest/application/enable-access-logging.md
+++ b//elasticloadbalancing/latest/application/enable-access-logging.md
@@ -75,0 +76,2 @@ This policy grants permissions to the specified log delivery service. Use this p
+  * Asia Pacific (Taipei)
+
@@ -318 +320,16 @@ Use the following suggestions to enhance the security of your S3 bucket.
-  * If your Amazon S3 bucket policy `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list.
+  * If you have a `Deny` statement to prevent access to service principals except those explicitly allowed, be sure to add `logdelivery.elasticloadbalancing.amazonaws.com` to the list of allowed service principals. For example, if you used the `aws:PrincipalServiceNamesList` condition, add `logdelivery.elasticloadbalancing.amazonaws.com` as follows:
+    
+        {
+      "Effect": "Deny",
+      "Principal": "*",
+      "Condition": {
+          "StringNotEqualsIfExists": {
+              "aws:PrincipalServiceNamesList": [
+                  "logdelivery.elasticloadbalancing.amazonaws.com",
+                  "service.amazonaws.com"
+              }
+          }
+      }
+    }
+
+If you used the `NotPrincipal` element, add `logdelivery.elasticloadbalancing.amazonaws.com` as follows. Note that we recommend that you use the `aws:PrincipalServiceName` or `aws:PrincipalServiceNamesList` condition key to explicitly allow service principals instead of using the `NotPrincipal` element. For more information, see [NotPrincipal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html).
@@ -325 +342 @@ Use the following suggestions to enhance the security of your S3 bucket.
-           "example.com"
+           "service.amazonaws.com"