如何将Flow Log流日志保存到另一个AWS账号?
0
【以下的问题经过翻译处理】 大家好, 我正在尝试将帐户1中的Flow Log流日志保存到帐户2中的s3存储桶中,但是我找不到实现该功能的方法,当我尝试设置时,会出现以下错误:“对于LogDestination: <s3 bucket>,方法不允许。请检查LogDestination权限。”
在帐户2的s3存储桶中,我已经进行了以下设置:
{
"Version": "2012-10-17",
"Id": "Policy1",
"Statement": [
{
"Sid": "writeflow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account1>:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::<s3 bucket on account 2>"
}
]
}
我也尝试在s3存储桶上进行了以下设置:为其他AWS帐户开启访问权限,Grantee:<ConID> 具有完全访问权限。 目前我临时设置完全访问权限,一旦尝试成功,我将减少这些权限。
Sprache
中文 (简体)
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
【以下的回答经过翻译处理】 大家好,我们通过下列脚本实现了需求(账户2的s3存储桶策略),只需将 123412341234 替换为发送流日志的帐户即可。例如:1234-1234-1234转123412341234
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::s3bucketname",
"arn:aws:s3:::s3bucketname/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123412341234",
"s3:x-amz-acl": "bucket-owner-full-control"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::s3bucketname",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123412341234"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:ap-southeast-2:123412341234:*"
}
}
}
]
}
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr