Hi,
Im trying to set up cloudwatch logs to opensearch via: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_OpenSearch_Stream.html
- Actions, Subscription filters, Create Amazon OpenSearch Service subscription filter
But the lambda is getting log errors for permissions.
The error is:
"errorMessage": "{\"statusCode\":403,\"responseBody\":{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"},\"status\":403}}"
I ended up with the below IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "arn:aws:es:eu-west-2:xxxx:domain/xxxx/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}