Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can log destination work with KMS encrypted kinesis streams

0

I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }
            }
        }
    ]
}

and the following policy:

{
    "Statement": [
        {
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
        },
        {
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,

thanks

Phil

Themen
AnalysenInternet der Dinge (IoT)Management & Unternehmensführung
Tags
Amazon KinesisVerschlüsselungAmazon CloudWatch-Protokolle
Sprache
English
WonderPhil
gefragt vor 2 Jahren588 Aufrufe
1 Antwort
1
Akzeptierte Antwort

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }

PrincipalOrgID isn't allowed for "Service": "logs.us-east-1.amazonaws.com"

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:*:11111111064:*",
                        "arn:aws:logs:*:11111111608:*",
                        "arn:aws:logs:*:11111111423:*",
                        "arn:aws:logs:*:11111111580:*",
                        "arn:aws:logs:*:11111111684:*",
                        "arn:aws:logs:*:11111111264:*",
                        "arn:aws:logs:*:11111111864:*",
                        "arn:aws:logs:*:11111111735:*",
                        "arn:aws:logs:*:11111111215:*",
                        "arn:aws:logs:*:11111111760:*",
                        "arn:aws:logs:*:11111111466:*",
                        "arn:aws:logs:*:11111111704:*",
                        "arn:aws:logs:*:11111111395:*",
                        "arn:aws:logs:*:11111111653:*",
                        "arn:aws:logs:*:11111111392:*",
                        "arn:aws:logs:*:11111111413:*",
                        "arn:aws:logs:*:11111111796:*",
                        "arn:aws:logs:*:11111111914:*",
                        "arn:aws:logs:*:11111111446:*",
                        "arn:aws:logs:*:11111111690:*",
                        "arn:aws:logs:*:11111111199:*",
                        "arn:aws:logs:*:11111111136:*",
                        "arn:aws:logs:*:11111111667:*",
                        "arn:aws:logs:*:11111111731:*",
                        "arn:aws:logs:*:11111111723:*",
                        "arn:aws:logs:*:11111111459:*",
                        "arn:aws:logs:*:11111111365:*",
                        "arn:aws:logs:*:11111111270:*",
                        "arn:aws:logs:*:11111111879:*",
                        "arn:aws:logs:*:11111111658:*",
                        "arn:aws:logs:*:11111111744:*",
                        "arn:aws:logs:*:11111111601:*",
                        "arn:aws:logs:*:11111111804:*",
                        "arn:aws:logs:*:11111111462:*",
                        "arn:aws:logs:*:11111111339:*",
                        "arn:aws:logs:*:11111111975:*"
                    ]
                }
            }
        }
    ]
}

Which you can see a lot of accounts.

WonderPhil
beantwortet vor 2 Jahren
  • DarrenB
    vor 8 Monaten

    Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt