Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Elasticache Logs to Cloudwatch

2

I'm using Elasticache for redis cluster engine 6.2.6. I enabled engine and slow logs to Cloudwatch log group. I saw in the documentation that I need to add a policy to Elasticache to be able to deliver logs or create log streams to Cloudwatch. But i'm not able to edit service linked roles. (I'm an administrator). Is there anything I'm missing ? will be happy to provide some more information if nedded. Thnaks !

  • Dor
    há um ano

    Still struggling with getting the logs, any ideas ?

Tópicos
Banco de dadosGestão e governançaSegurança, identidade e conformidade
Tags
Amazon ElastiCache for RedisAmazon CloudWatchAWS Managed ServicesPolíticas do IAMRegistros do Amazon CloudWatch
Idioma
English
Dor
feita há um ano1064 visualizações
4 Respostas
1

Anyone has an idea why the policy is missing the necessary permissions ?
Might be related to ElastiCache updates ?

Dor
respondido há um ano
  • Vrathore
    há 8 meses

    @Dor Have you been able to resolve the issue? I'm experiencing the same problem. The documentation isn't very helpful

  • Dor
    há 7 meses

    No, Still cant see logs correctly

  • Mayank
    há 7 meses

    @Dor @Vrathore we are also facing the same issue, necessary permissions are not present for sending logs to cloudwatch from elasticache.

0

In AWS, service-linked roles have permissions that are defined by the service that uses them. You cannot modify the permissions for these roles. They are designed to ensure that AWS services can securely manage resources in your account.

However, what you may need to do is to ensure that the necessary permissions are in place for CloudWatch to receive logs. If you're using a service-linked role for ElastiCache, the necessary permissions should already be in place, but if you're using a different role, you may need to add them.

The necessary permissions for writing logs to CloudWatch are

  • logs:CreateLogDelivery
  • logs:UpdateLogDelivery
  • logs:DeleteLogDelivery
  • logs:GetLogDelivery
  • logs:ListLogDeliveries

This permission needs to be in the IAM policy for the role that's writing the logs. In the case of ElastiCache, the necessary permissions should already be in place with the service-linked role.

for the outlined steps you can follow this link

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Log_Delivery.html

profile picture
ESPECIALISTA
Sedat Salman
respondido há um ano
  • Dor
    há um ano

    Thanks for your answer, I'm using a service linked role but the permissions are not in place. I'm adding the policy of the role used by Elasticache. Role: AWSServiceRoleForElastiCache { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress", "cloudwatch:PutMetricData", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", "outposts:ListOutposts", "outposts:ListSites" ], "Resource": "*" } ] }

0

Could anyone please help us with modifying the service linked role policy/permission part for sending logs to cloudwatch from elasticache, ideally all necessary permissions should be present here.

logs:CreateLogDelivery
logs:UpdateLogDelivery
logs:DeleteLogDelivery
logs:GetLogDelivery
logs:ListLogDeliveries
Mayank
respondido há 7 meses
0

I was struggling with this for some time, but after opening a case with AWS, I finally was able to solve it.

Problem Overview

Enabling logs in Elasticache requires granting the delivery.logs.amazonaws.com service permission to write into CloudWatch Logs. This service serves as a gateway for logging in and the necessary policy is automatically manged by AWS.

Checking Existing Policies

To verify existing policies, use the AWS Command Line Interface with the following command:

aws logs describe-resource-policies --region region

so in my case, this was totally empty, nothing was allowed

{
    "resourcePolicies": []
}

Adding Policies

Unfortunately, you can't manage these policies through the AWS Management Console. Instead, use awscli or a Terraform resource.

As an example, to grant full access to the mentioned services, execute the following command:

aws logs put-resource-policy --region ap-southeast- --policy-name AWSLogDeliveryWrite20150319 --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"*\"]}]}"

Note: The provided command grants full access; for more granular control, adjust the policy accordingly.

Verification

After updating the policies, revisit your Elasticache Redis settings. Disable and re-enable logs, and you should observe the issue resolved.

Actually, doing this from the console should force AWS to introduce/modify the proper policy automatically, but for some reason, this does not always work as expected

QiQe
respondido há 5 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante