- Más nuevo
- Más votos
- Más comentarios
Have you taken a look at this blog - https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/
As you know VPC FlowLogs can publish to Amazon S3 or Amazon Cloudwatch.
Publishing flow-logs directly to a log group in another account is not possible, because the VPC Flow-log executes as a service role that you specify with a trust relationship to vpc-flow-logs.amazonaws.com
. This service role must exist inside the account that the flow logs reside, it is not possible to assume a role in another account. This process is outlined here.
If you try you will receive the following error: An error occurred (InvalidParameter) when calling the CreateFlowLogs operation: LogDestination must belong to the same account as the API caller.
If VPC Flow-logs pushes logs to an S3 bucket in another account, the the bucket policy grants permission which means that the flow-log uses a service role in the source account, and the bucket policy allows the write from the service role in the source account.
However, if you must publish to a CloudWatch group in another account, you could publish to the CloudWatch group locally in the same account, and the use CloudWatch subscriptions to push the log to Amazon Kinesis streams, Amazon Kinesis Firehose, or to AWS Lambda, which can then publish to CloudWatch log groups in a different account.
Without understanding your use-case, I would suggest sharing the data centrally using Amazon S3 as you do today. When the log lands in the central S3 bucket you could use a Lambda trigger add it to CloudWatch if you must. Something to note, publishing to a CloudWatch log group costs $0.50 per GB in us-east-1, and storing it costs $0.03 per GB. Publishing to S3, will use Kinesis Firehose and Amazon S3: Kinesis Firehose will cost $0.029 per GB and then storage in Amazon S3 would be $0.023 per GB .
Thank you for submitting your question, shanmukhaswamy! We answered this on an episode of AWS re:Post Live. You can click this link and jump to 30:20 in the time code to listen to us discuss - https://www.twitch.tv/videos/2204463289
Contenido relevante
- ¿Cómo puedo analizar los registros de flujo de VPC personalizados mediante CloudWatch Logs Insights?OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 4 años
Hi we have this architecture in place already and here the target is s3 bucket. but I need to send vpc logs to central cloudwatch log groups and not to s3 bucket. thanks. please advice.
I am not sure if this can be achieved in a straight-forward way as Jason has mentioned. The subscriptions are only possible to Kinesis Data Streams, Kinesis Data Firehose, Opensearch or Lambda. Typically when customers use centralized logging solutions, they use Opensearch or 3rd party solutions like Splunk and KDF can send logs to Splunk and some other tools, or use S3.