AWS

CrossLocationLoggingProhibited - Cross Location Logging Prohibited

Hitting a **CrossLocationLoggingProhibited** error means you're trying to configure S3 bucket logging where the source bucket and logging bucket are in different AWS regions—S3 requires both buckets to be in the same region for logging. This client-side error (4xx) happens when AWS validates S3 logging configuration. Most common when source and logging buckets are in different regions, but also appears when cross-region logging is attempted, geographic location mismatch occurs, or logging configuration violates S3 region rules.

#Common Causes

  • Identity: IAM policy allows logging but region mismatch. Service Control Policy (SCP) enforces same-region logging.
  • Network: Logging bucket in different AWS region. Cross-region logging attempted. VPC endpoint routing to different regions.
  • Limits: Source bucket and logging bucket in different regions. Geographic location mismatch. Logging configuration violates S3 region rules.

Solutions

  1. 1Step 1: Diagnose - Check source bucket region: aws s3api get-bucket-location --bucket SOURCE_BUCKET. Note the region. Verify bucket exists in that region.
  2. 2Step 2: Diagnose - Check logging bucket region: aws s3api get-bucket-location --bucket LOGGING_BUCKET. Compare with source bucket region. Verify if regions match.
  3. 3Step 3: Diagnose - Review current logging configuration: aws s3api get-bucket-logging --bucket SOURCE_BUCKET. Check which bucket is configured for logging. Verify region mismatch.
  4. 4Step 4: Fix - Create logging bucket in same region: aws s3api mb s3://LOGGING_BUCKET --region SOURCE_REGION. Or use existing bucket in same region. Verify regions match: aws s3api get-bucket-location --bucket BUCKET_NAME.
  5. 5Step 5: Fix - Configure logging with same-region bucket: aws s3api put-bucket-logging --bucket SOURCE_BUCKET --bucket-logging-status file://logging.json. Ensure logging.json specifies bucket in same region.

</>Code Examples

Check Bucket Regions for Logging Configuration
1#!/bin/bash
2SOURCE_BUCKET="my-source-bucket"
3LOGGING_BUCKET="my-logging-bucket"
4
5echo "=== Checking Source Bucket Region ==="
6SOURCE_REGION=$(aws s3api get-bucket-location --bucket ${SOURCE_BUCKET} --query LocationConstraint --output text 2>/dev/null)
7# us-east-1 returns null, handle it
8if [ "${SOURCE_REGION}" = "None" ] || [ -z "${SOURCE_REGION}" ]; then
9  SOURCE_REGION="us-east-1"
10fi
11echo "Source bucket region: ${SOURCE_REGION}"
12
13echo "\n=== Checking Logging Bucket Region ==="
14LOGGING_REGION=$(aws s3api get-bucket-location --bucket ${LOGGING_BUCKET} --query LocationConstraint --output text 2>/dev/null)
15if [ "${LOGGING_REGION}" = "None" ] || [ -z "${LOGGING_REGION}" ]; then
16  LOGGING_REGION="us-east-1"
17fi
18echo "Logging bucket region: ${LOGGING_REGION}"
19
20# Compare regions
21echo "\n=== Region Comparison ==="
22if [ "${SOURCE_REGION}" = "${LOGGING_REGION}" ]; then
23  echo "✓ Regions match - logging configuration should work"
24else
25  echo "✗ Regions don't match - this will cause CrossLocationLoggingProhibited"
26  echo "Source: ${SOURCE_REGION}, Logging: ${LOGGING_REGION}"
27  echo "\nFix: Create logging bucket in ${SOURCE_REGION} or use existing bucket in same region"
28fi
Create Logging Bucket in Same Region
1#!/bin/bash
2SOURCE_BUCKET="my-source-bucket"
3LOGGING_BUCKET="my-logging-bucket-same-region"
4
5# Get source bucket region
6SOURCE_REGION=$(aws s3api get-bucket-location --bucket ${SOURCE_BUCKET} --query LocationConstraint --output text 2>/dev/null)
7if [ "${SOURCE_REGION}" = "None" ] || [ -z "${SOURCE_REGION}" ]; then
8  SOURCE_REGION="us-east-1"
9fi
10
11echo "=== Creating Logging Bucket in Same Region ==="
12echo "Source bucket region: ${SOURCE_REGION}"
13echo "Creating logging bucket: ${LOGGING_BUCKET}"
14
15# Create bucket in same region
16if [ "${SOURCE_REGION}" = "us-east-1" ]; then
17  # us-east-1 doesn't need LocationConstraint
18  aws s3api create-bucket --bucket ${LOGGING_BUCKET} --region ${SOURCE_REGION}
19else
20  aws s3api create-bucket \
21    --bucket ${LOGGING_BUCKET} \
22    --region ${SOURCE_REGION} \
23    --create-bucket-configuration LocationConstraint=${SOURCE_REGION}
24fi
25
26# Verify bucket created in correct region
27echo "\n=== Verifying Logging Bucket Region ==="
28aws s3api get-bucket-location --bucket ${LOGGING_BUCKET} --query LocationConstraint --output text
Configure S3 Logging with Same-Region Bucket
1#!/bin/bash
2SOURCE_BUCKET="my-source-bucket"
3LOGGING_BUCKET="my-logging-bucket"
4
5# Verify regions match first
6SOURCE_REGION=$(aws s3api get-bucket-location --bucket ${SOURCE_BUCKET} --query LocationConstraint --output text 2>/dev/null)
7LOGGING_REGION=$(aws s3api get-bucket-location --bucket ${LOGGING_BUCKET} --query LocationConstraint --output text 2>/dev/null)
8
9if [ "${SOURCE_REGION}" = "None" ] || [ -z "${SOURCE_REGION}" ]; then
10  SOURCE_REGION="us-east-1"
11fi
12if [ "${LOGGING_REGION}" = "None" ] || [ -z "${LOGGING_REGION}" ]; then
13  LOGGING_REGION="us-east-1"
14fi
15
16if [ "${SOURCE_REGION}" != "${LOGGING_REGION}" ]; then
17  echo "✗ Regions don't match - cannot configure logging"
18  exit 1
19fi
20
21echo "=== Configuring S3 Logging ==="
22echo "Source bucket: ${SOURCE_BUCKET} (region: ${SOURCE_REGION})"
23echo "Logging bucket: ${LOGGING_BUCKET} (region: ${LOGGING_REGION})"
24
25# Create logging configuration JSON
26cat > /tmp/logging.json <<EOF
27{
28  "LoggingEnabled": {
29    "TargetBucket": "${LOGGING_BUCKET}",
30    "TargetPrefix": "logs/"
31  }
32}
33EOF
34
35# Apply logging configuration
36aws s3api put-bucket-logging \
37  --bucket ${SOURCE_BUCKET} \
38  --bucket-logging-status file:///tmp/logging.json
39
40# Verify logging configuration
41echo "\n=== Verifying Logging Configuration ==="
42aws s3api get-bucket-logging --bucket ${SOURCE_BUCKET} --output json

Related Errors

InvalidBucketNameIllegalLocationConstraintException

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

CrossLocationLoggingProhibited - Cross Location Logging Prohibited | AWS Error Reference | Error Code Reference