What I try to do is to enable Standard Logging for a CloudFront distribution, via AWS console, as in the picture below:

I have set the following S3 Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::931426637260:user/relu"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:PutBucketAcl"
            ],
            "Resource": "arn:aws:s3:::[...]"
        }
    ]
}

"Block all public access" is Off.

Though, I keep getting this error:

The S3 bucket that you specified for CloudFront logs does not enable ACL access: [...].s3.amazonaws.com

I get this error even if I try to enable logging as the root user.

Does anybody have any idea what might be wrong?

It seems I had to enable ACL here:

Starting in April 2023, you will need to enable S3 access control lists (ACLs) for new S3 buckets being used for CloudFront standard logs:

(screenshot)

(even though at the same time AWS tells you that it's not recommended to enable ACLs 🤔)

A majority of modern use cases in S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled

So as far as I have been able to determine, there is no way to adhere to the second message/recommendation (disable ACLs), while getting your CloudFront logs in your bucket.

If you're using the UI, see user3429660's answer.

In case someone is looking how to do this in CloudFormation:

  Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred
      [....]

(alternatively use ObjectOwnership: ObjectWriter)

That's all that's needed; even when using CloudFormation, the CloudFront Logger will automatically add itself to the ACLs (as long as they are enabled).

For Terraform users:

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

The reason it isn't working is that the S3 Object Ownership prevents CloudFront from delivering log files to the bucket. The accepted answer is correct, however, it took me a second to get to that setting.

To get to the setting

S3 -> Buckets -> Your_bucket_name -> Permissions -> Object Ownership

The object ownership setting will be a little bit down the page. Hopefully, this helps someone! I'm happy to provide more detail if that would be helpful.

Check that you're not trying to send CloudFront logs to an S3 bucket in an unsupported region.

Yep - that's right, CloudFront doesn't support writing logs to S3 buckets in all regions. This is probably a less common problem, but it snagged me up.

From https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

Important

Don't choose an Amazon S3 bucket in any of the following Regions, because CloudFront doesn't deliver standard logs to buckets in these Regions:

- Africa (Cape Town)
- Asia Pacific (Hong Kong)
- Asia Pacific (Hyderabad)
- Asia Pacific (Jakarta)
- Asia Pacific (Melbourne)
- Europe (Milan)
- Europe (Spain)
- Europe (Zurich)
- Middle East (Bahrain)
- Middle East (UAE)

For the record, the error I was getting from CloudFormation was:

Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: xxxxx.s3.ap-southeast-4.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: 82xex74x-x184-472h-aekl-944276356rfe)'." (RequestToken: aekd4b6e-45ha-489a-013e-6203kl194c21, HandlerErrorCode: AccessDenied)

this line from the docs covers your findings:

That setting disables ACLs for the bucket and the objects in it, which prevents CloudFront from delivering log files to the bucket.

ie. ACLs are needed relevant docs are here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

I experienced a similar issue when setting up AWS S3 for Cloudfront logs using Terraform AWS S3 module:

│ Error: creating CloudFront Distribution: operation error CloudFront: CreateDistributionWithTags, https response error StatusCode: 400, RequestID: 2cda27dd-105a-4656-b9c3-04ae8af40113, InvalidArgument: The S3 bucket that you specified for CloudFront logs does not enable ACL access: test-bucket.s3.us-east-1.amazonaws.com │ │ with module.cloudfront.aws_cloudfront_distribution.this[0], │ on .terraform\modules\cloudfront\main.tf line 27, in resource "aws_cloudfront_distribution" "this": │ 27: resource "aws_cloudfront_distribution" "this" { │

Here's how I solved:

All I needed to do was to enable control object ownership:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 4.1.1"

  bucket                   = "test-bucket"
  acl                      = "private"
  control_object_ownership = true
  object_ownership         = "ObjectWriter"
  block_public_acls        = true
  block_public_policy      = true
}