Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cross-account cross-region in cloudwatch for specific log group

1

We would like to read events in ec2 machine in one account in one region and to read events in log group in other account and in other region - we saw the option of Cross-account cross-region but we did find any option to allow the other account to access only specific log group - is there such an option? or is there any other solution we can use to solve than problem? Thanks

Themen
Vernetzung & Bereitstellung von InhaltenSicherheit, Identität & KonformitätEntwicklertools
Tags
Amazon VPCAWS Identity and Access ManagementAWS Cloud Control-API
Sprache
English
AWS-User-1046823
gefragt vor 2 Jahren8112 Aufrufe
3 Antworten
0

The Cross-Account Cross-Region feature of CloudWatch which you are referring to is usually preferable for sharing metrics/ logs from a whole account to a monitoring account.

If you want just specific log groups (or a specific log group) to be shared with another account I would recommend considering sharing the logs using a CloudWatch Logs subscription and Amazon Kinesis or Amazon Kinesis Data Firehose as per the following documentation: Cross-account log data sharing with subscriptions - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

AWS
SUPPORT-TECHNIKER
Jasper_R
beantwortet vor 2 Jahren
  • Jason_N
    vor 2 Jahren

    I agree with Jasper_R the ideal way is to use S3 to share, because S3 has a resource policy you can grant to the source account access. However to post to CloudWatch the FlowLog service must assume a role in the target account which it is not allowed to do. Also the API requires that the log-group be in the same account as the vpc/subnet. If you have to post to a log-group in another account then a subscription model using Amazon Kinesis or Amazon Lambda is a good approach. i.e. log to CloudWatch, subscribe to the log, use Kinesis or Lambda to post to a log group in another account.

0

As per quick research I've made sharing the log groups (any) cross account is not supported unfortunatelly https://stackoverflow.com/questions/62270980/logs-can-only-be-viewed-for-the-account-logged-in-in-aws-cloudwatch-logs-conso

rePost-User-5190416
beantwortet vor 2 Jahren
-1

It's possible. Cross Account Cross Region sharing in CloudWatch is enabled by creating an IAM role called CloudWatch-CrossAccountSharingRole. You can let the console create that role for you and then modify it to allow a specific log group to be read. Or else you can create the prebuilt role using CloudFormation/CDK/Terraform or via CLI/API directly.

See Example 3 in resource-based access to CloudWatch Logs. Something like this would be what you need inside policy for CloudWatch-CrossAccountSharingRole:

{
   "Version":"2012-10-17",
   "Statement":[
      {
      "Action": [
        "logs:FilterLogEvents",
        "logs:StartQuery",
        "logs:StopQuery"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
      }
   ]
}

That will allow you to put a log widget in a central dashboard that runs a Logs Insights query on a log in a different account/region.

AWS
Amazon-CloudWatch-01
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt