AWS S3 bucket policy for writing from AWS VPC Flows on multiple AWS accounts

If you want to store all VPC flow logs in a single bucket for your all AWS accounts, you can use the following bucket policy.

Note: Don’t forget to update AWS region to match your one in the policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my-aws-vpcflow-logs/*",
                "arn:aws:s3:::my-aws-vpcflow-logs"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": [
                        "111111111111",
                        "222222222222",
                        "333333333333"
                
                    ]
                },
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:us-east-1:111111111111:*",
                        "arn:aws:logs:us-east-1:222222222222:*",
                        "arn:aws:logs:us-east-1:333333333333:*"
                    ]
                }
            }
        },
        {
            "Sid": "ForceSSLOnlyAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-aws-vpcflow-logs/*",
                "arn:aws:s3:::my-aws-vpcflow-logs"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

You can get it in raw from GitHub Gist:

https://gist.github.com/ismailyenigul/f5e49822692ae321c1a941d96a115358#file-aws-vpc-flow-s3-bucket-poilcy-json