Cloudwatch logs to Opensearch subscriptions

Question

Hi,

Im trying to set up cloudwatch logs to opensearch via: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_OpenSearch_Stream.html

- Actions, Subscription filters, Create Amazon OpenSearch Service subscription filter

But the lambda is getting log errors for permissions.

The error is:

```
 "errorMessage": "{\"statusCode\":403,\"responseBody\":{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"},\"status\":403}}"
```

I ended up with the below IAM

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:es:eu-west-2:xxxx:domain/xxxx/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
```

Accepted Answer

Updated the opensearch cluster to add the lambda role a backend user. That resolved it!

Cloudwatch logs to Opensearch subscriptions

Relevant content