ocp4__trace_network4.md

// Replace AWS_ACCOUNT_ID and ELB_ACCOUNT_ID with your real ones before running.
$ cat <<EOF > s3-bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ELB_ACCOUNT_ID:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::test-trace-logs/AWSLogs/AWS_ACCOUNT_ID/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::test-trace-logs/AWSLogs/AWS_ACCOUNT_ID/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::test-trace-logs"
    }
  ]
}
EOF

$ aws s3api put-bucket-policy \
  --bucket test-trace-logs \
  --policy file://s3-bucket-policy.json

// You can check if the bucket policy is applied or not using the following command.
$ aws s3api get-bucket-policy \
  --bucket test-trace-logs | jq -r .Policy | jq