En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Can log destination work with KMS encrypted kinesis streams

0

I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }
            }
        }
    ]
}

and the following policy:

{
    "Statement": [
        {
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
        },
        {
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,

thanks

Phil

Sujets
AnalytiqueInternet des objets (IoT)Gestion et gouvernance
Balises
Amazon KinesisChiffrementJournaux Amazon CloudWatch
Langue
English
WonderPhil
demandé il y a 2 ans583 vues
1 réponse
1
Réponse acceptée

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }

PrincipalOrgID isn't allowed for "Service": "logs.us-east-1.amazonaws.com"

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:*:11111111064:*",
                        "arn:aws:logs:*:11111111608:*",
                        "arn:aws:logs:*:11111111423:*",
                        "arn:aws:logs:*:11111111580:*",
                        "arn:aws:logs:*:11111111684:*",
                        "arn:aws:logs:*:11111111264:*",
                        "arn:aws:logs:*:11111111864:*",
                        "arn:aws:logs:*:11111111735:*",
                        "arn:aws:logs:*:11111111215:*",
                        "arn:aws:logs:*:11111111760:*",
                        "arn:aws:logs:*:11111111466:*",
                        "arn:aws:logs:*:11111111704:*",
                        "arn:aws:logs:*:11111111395:*",
                        "arn:aws:logs:*:11111111653:*",
                        "arn:aws:logs:*:11111111392:*",
                        "arn:aws:logs:*:11111111413:*",
                        "arn:aws:logs:*:11111111796:*",
                        "arn:aws:logs:*:11111111914:*",
                        "arn:aws:logs:*:11111111446:*",
                        "arn:aws:logs:*:11111111690:*",
                        "arn:aws:logs:*:11111111199:*",
                        "arn:aws:logs:*:11111111136:*",
                        "arn:aws:logs:*:11111111667:*",
                        "arn:aws:logs:*:11111111731:*",
                        "arn:aws:logs:*:11111111723:*",
                        "arn:aws:logs:*:11111111459:*",
                        "arn:aws:logs:*:11111111365:*",
                        "arn:aws:logs:*:11111111270:*",
                        "arn:aws:logs:*:11111111879:*",
                        "arn:aws:logs:*:11111111658:*",
                        "arn:aws:logs:*:11111111744:*",
                        "arn:aws:logs:*:11111111601:*",
                        "arn:aws:logs:*:11111111804:*",
                        "arn:aws:logs:*:11111111462:*",
                        "arn:aws:logs:*:11111111339:*",
                        "arn:aws:logs:*:11111111975:*"
                    ]
                }
            }
        }
    ]
}

Which you can see a lot of accounts.

WonderPhil
répondu il y a 2 ans
  • DarrenB
    il y a 8 mois

    Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents