CrossLocationLoggingProhibited
AWS CrossLocationLoggingProhibited (Cross Location Logging Prohibited) means server access logging cannot target a bucket in another AWS Region. In Amazon S3, this error returns HTTP 403.
Last reviewed: March 4, 2026|Source-backed guidance under our editorial policy
Start Here
Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.
This page is part of the Error Reference library. Learn more about the project or report a correction.
What Does Cross Location Logging Prohibited Mean?
S3 refuses to apply the logging configuration, so audit and forensic log streams do not start until logging targets meet regional/account placement constraints.
Common Causes
- -S3 access-log target bucket is in a different region than the source bucket.
- -Destination log bucket is not in the same AWS account required by server access logging constraints.
- -IaC templates reused cross-region logging targets without validation.
- -Bucket migration changed region alignment but logging config was not updated.
How to Fix Cross Location Logging Prohibited
- 1Configure access-log destination bucket in the same region as the source bucket.
- 2Confirm destination bucket is owned by the same account and grants log-delivery write access.
- 3Update logging configuration templates to enforce region alignment.
- 4Reapply logging settings and verify with new object writes.
Step-by-Step Diagnosis for Cross Location Logging Prohibited
- 1Check source and destination bucket regions explicitly.
- 2Inspect destination bucket owner account ID, logging target config, and policy/ACL settings.
- 3Trace recent bucket-region or ownership changes impacting log delivery.
- 4Validate logging API calls in a controlled environment before rollout.
Logging Topology Validation
- -Verify source and target bucket placement constraints for server access logs (example: source in us-east-1, target in eu-west-1 triggers CrossLocationLoggingProhibited).
- -Audit account ownership alignment for source and log target buckets (example: centralized target bucket in a different account violates logging destination rules).
Log Delivery Permission Checks
- -Inspect destination policy/ACL posture for log delivery principal requirements (example: bucket policy missing logging.s3.amazonaws.com write permission).
- -Trace IaC drift between intended and actual logging targets (example: Terraform variable fallback points prod bucket to wrong regional log bucket).
Seen in Production
Centralized logging bucket is placed in a different region
Frequency: common
Example: S3 logging setup points all environments to one cross-region destination bucket.
Fix: Create region-local logging buckets and map each source bucket to same-region destination.
Migration changes bucket region but logging config is not updated
Frequency: rare
Example: After bucket migration, old logging target remains and new writes fail logging configuration updates.
Fix: Refresh destination region mapping as part of migration runbook steps.
Debugging Tools
- -aws s3api get-bucket-location
- -aws s3api get-bucket-logging
- -CloudTrail S3 configuration events
- -Logging target policy/ACL checks
How to Verify the Fix
- -Re-run logging configuration update and confirm CrossLocationLoggingProhibited is cleared.
- -Validate new access logs are delivered to the configured destination bucket.
- -Confirm log delivery remains stable across subsequent write windows.
How to Prevent Recurrence
- -Add region-alignment checks for S3 logging in CI and IaC validation.
- -Version-control per-environment logging target mappings.
- -Alert on S3 access-log delivery failures and configuration drift.
Pro Tip
- -provision one dedicated log bucket per region and generate logging config from region maps to eliminate accidental cross-location targets.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.