By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Cloudwatch logs to Opensearch subscriptions

0

Hi,

Im trying to set up cloudwatch logs to opensearch via: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_OpenSearch_Stream.html

  • Actions, Subscription filters, Create Amazon OpenSearch Service subscription filter

But the lambda is getting log errors for permissions.

The error is:

 "errorMessage": "{\"statusCode\":403,\"responseBody\":{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch, backend_roles=[arn:aws:iam::xxxx:role/test-cloudwatch-2-opensearch], requestedTenant=null]\"},\"status\":403}}"

I ended up with the below IAM

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:es:eu-west-2:xxxx:domain/xxxx/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
1 Answer
2
Accepted Answer

Updated the opensearch cluster to add the lambda role a backend user. That resolved it!

answered a year ago
profile picture
EXPERT
reviewed 6 months ago
profile picture
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions