[AWS] Route53 query logging

AWS Route 53 resolver의 CreateResolverQueryLogConfig 시

query logs의 Destination을 bucket name으로 설정할 경우, 

aws route53resolver create-resolver-query-log-config --name "log-config-name" --destination-arn "arn:aws:s3:::s3-query-logging"

 

S3 버킷 삭제

aws s3api delete-bucket-policy --bucket s3-query-logging

Empty bucket > permanently delete

 

AssociateResolverQueryLogConfig API 실행

aws route53resolver associate-resolver-query-log-config --resolver-query-log-config-id "rqlc-12aaa456fxxx4519" --resource-id "vpc-0a53xxxxxxxxx2deb"

 

정상 생성(Active)

{
    "ResolverQueryLogConfigAssociation": {
        "Id": "rqlca-8389713dfa194521",
        "ResolverQueryLogConfigId": "rqlc-12aaa456f7394519",
        "ResourceId": "vpc-0a535fa915c062deb",
        "Status": "CREATING",
        "Error": "NONE",
        "ErrorMessage": "",
        "CreationTime": "2025-08-07T07:06:27.873745085Z"
    }
}

VPC가 타 query log config와 연결되어 있을 경우

An error occurred (InvalidRequestException) when calling the AssociateResolverQueryLogConfig operation: [RSLVR-01306] The resource is already associated with a query logging configuration that is sending query logs to the specified destination type. Trace Id: "1-689450aa-38d4c77e583b368f14ffa282"

버킷 삭제 시(Failed)

INTERNAL_SERVICE_ERROR[RSLVR-00200] Internal Service Error, trace ID: "1-6894513d-1a1dxxxxxxxxxxxxxxxx4477"

 

ACCESS_DENIED: Account is not authorized to perform this operation.

 

References: 

[1] AssociateResolverQueryLogConfig - Errors - https://docs.aws.amazon.com/ko_kr/Route53/latest/APIReference/API_route53resolver_AssociateResolverQueryLogConfig.html#API_route53resolver_AssociateResolverQueryLogConfig_Errors