Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Can log destination work with KMS encrypted kinesis streams

0

I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }
            }
        }
    ]
}

and the following policy:

{
    "Statement": [
        {
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
        },
        {
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,

thanks

Phil

Argomenti
AnalisiInternet delle cose (IoT)Gestione e amministrazione
Tag
Amazon KinesisCrittografiaRegistri di Amazon CloudWatch
Lingua
English
WonderPhil
posta 2 anni fa588 visualizzazioni
1 Risposta
1
Risposta accettata

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }

PrincipalOrgID isn't allowed for "Service": "logs.us-east-1.amazonaws.com"

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:*:11111111064:*",
                        "arn:aws:logs:*:11111111608:*",
                        "arn:aws:logs:*:11111111423:*",
                        "arn:aws:logs:*:11111111580:*",
                        "arn:aws:logs:*:11111111684:*",
                        "arn:aws:logs:*:11111111264:*",
                        "arn:aws:logs:*:11111111864:*",
                        "arn:aws:logs:*:11111111735:*",
                        "arn:aws:logs:*:11111111215:*",
                        "arn:aws:logs:*:11111111760:*",
                        "arn:aws:logs:*:11111111466:*",
                        "arn:aws:logs:*:11111111704:*",
                        "arn:aws:logs:*:11111111395:*",
                        "arn:aws:logs:*:11111111653:*",
                        "arn:aws:logs:*:11111111392:*",
                        "arn:aws:logs:*:11111111413:*",
                        "arn:aws:logs:*:11111111796:*",
                        "arn:aws:logs:*:11111111914:*",
                        "arn:aws:logs:*:11111111446:*",
                        "arn:aws:logs:*:11111111690:*",
                        "arn:aws:logs:*:11111111199:*",
                        "arn:aws:logs:*:11111111136:*",
                        "arn:aws:logs:*:11111111667:*",
                        "arn:aws:logs:*:11111111731:*",
                        "arn:aws:logs:*:11111111723:*",
                        "arn:aws:logs:*:11111111459:*",
                        "arn:aws:logs:*:11111111365:*",
                        "arn:aws:logs:*:11111111270:*",
                        "arn:aws:logs:*:11111111879:*",
                        "arn:aws:logs:*:11111111658:*",
                        "arn:aws:logs:*:11111111744:*",
                        "arn:aws:logs:*:11111111601:*",
                        "arn:aws:logs:*:11111111804:*",
                        "arn:aws:logs:*:11111111462:*",
                        "arn:aws:logs:*:11111111339:*",
                        "arn:aws:logs:*:11111111975:*"
                    ]
                }
            }
        }
    ]
}

Which you can see a lot of accounts.

WonderPhil
con risposta 2 anni fa
  • DarrenB
    8 mesi fa

    Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente