AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

CloudFront Real-Time Log Configuration - Cross Account

0

Hi all,

In our AWS Organization We've a LogArchive Centralized Account used by our Security Team where We usually send all CloudWatch logs from all of our Application Accounts "The Accounts where we deploy our Applications Workloads".

We are looking forward to doing the same with CloudFront Real-Time logs , We need to send all of them to this Centralized Log Account.

I tried quickly using the CLI to setup the Real-Time Logs Configuration for one of our CloudFront Distributions pointing to a Kinesis Data Stream and a IAM Role in the LogArchive Account :

  • CLI Command :
aws cloudfront create-realtime-log-config --cli-input-json "file://rtl-config.json"
  • JSON Input :
{
    "EndPoints": [
        {
            "StreamType": "Kinesis",
            "KinesisStreamConfig": {
                "RoleARN": "arn:aws:iam::LogAccountID:role/CloudFrontRealtimeLogConfigRole",
                "StreamARN": "arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream"
            }
        }
    ],
    "Fields": [
        "c-country"
    ],
    "Name": "demorealtime",
    "SamplingRate": 1
}
  • IAM Role Trust RelationShip in the LogArchive Account :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "ApplicationAccountID"
                }
            }
        }
    ]
}
  • Test Results :
An error occurred (AccessDenied) when calling the CreateRealtimeLogConfig operation: Cross-account pass role is not allowed.

So, I was wondering if there is a direct way to send all CloudFront Real-Time Logs to a Cross-Account Kinesis Data Stream/Firehose ?

Thanks

주제
네트워킹 및 콘텐츠 전송분석사물 인터넷(IoT)관리 및 거버넌스
태그
아마존 CloudFront아마존 Kinesis아마존 CloudWatch 로그
언어
English
Peter Eskandar
질문됨 일 년 전701회 조회
2개 답변
0

Hi, if you follow this resource (https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/), you can see that you need the following:

  • iam policy in source account
  • iam role and trusted policy in target account.

Make sure the iam role account has the appropriate permissions to access and put logs in the kinesis stream.

profile picture
전문가
Antonio_Lagrotteria
답변함 일 년 전
  • Peter Eskandar
    일 년 전

    after updating the IAM Role in the source account as suggested, now I'm recieving a different error :

    An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account.

  • Antonio_Lagrotteria 전문가
    일 년 전

    Note that the IAM role is in the target account. The source account has an iam policy assuming the role name which is defined in the target account. Then in the source account you have to attach it to the proper user/service.. try following the guide step by step.

  • Peter Eskandar
    일 년 전

    I followed everything mentioned in the guide. I'm afraid there is no support for Cloudfront Real-Time Logging Cross-Account. this is what I can understand from the recieved error :

    An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account

0

Yes, you are correct .

At the moment Cloudfront real-time logging (CreateRealtimeLogConfig) to Kinesis Data Stream does not support cross-account access.

AWS
Ketan B
답변함 일 년 전
  • Antonio_Lagrotteria 전문가
    일 년 전

    Is there an official source?

  • Ketan B
    일 년 전

    Publicly not at the moment.

    But, on the Cloudfront real time logging console page you will get this message: The parameter EndPoint <your KDS ARN> is not valid because it is in a different AWS account

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠