By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can log destination work with KMS encrypted kinesis streams

0

I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }
            }
        }
    ]
}

and the following policy:

{
    "Statement": [
        {
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
        },
        {
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,

thanks

Phil

Topics
AnalyticsInternet of Things (IoT)Management & Governance
Tags
Amazon KinesisEncryptionAmazon CloudWatch Logs
Language
English
WonderPhil
asked 2 years ago572 views
1 Answer
1
Accepted Answer

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }

PrincipalOrgID isn't allowed for "Service": "logs.us-east-1.amazonaws.com"

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:*:11111111064:*",
                        "arn:aws:logs:*:11111111608:*",
                        "arn:aws:logs:*:11111111423:*",
                        "arn:aws:logs:*:11111111580:*",
                        "arn:aws:logs:*:11111111684:*",
                        "arn:aws:logs:*:11111111264:*",
                        "arn:aws:logs:*:11111111864:*",
                        "arn:aws:logs:*:11111111735:*",
                        "arn:aws:logs:*:11111111215:*",
                        "arn:aws:logs:*:11111111760:*",
                        "arn:aws:logs:*:11111111466:*",
                        "arn:aws:logs:*:11111111704:*",
                        "arn:aws:logs:*:11111111395:*",
                        "arn:aws:logs:*:11111111653:*",
                        "arn:aws:logs:*:11111111392:*",
                        "arn:aws:logs:*:11111111413:*",
                        "arn:aws:logs:*:11111111796:*",
                        "arn:aws:logs:*:11111111914:*",
                        "arn:aws:logs:*:11111111446:*",
                        "arn:aws:logs:*:11111111690:*",
                        "arn:aws:logs:*:11111111199:*",
                        "arn:aws:logs:*:11111111136:*",
                        "arn:aws:logs:*:11111111667:*",
                        "arn:aws:logs:*:11111111731:*",
                        "arn:aws:logs:*:11111111723:*",
                        "arn:aws:logs:*:11111111459:*",
                        "arn:aws:logs:*:11111111365:*",
                        "arn:aws:logs:*:11111111270:*",
                        "arn:aws:logs:*:11111111879:*",
                        "arn:aws:logs:*:11111111658:*",
                        "arn:aws:logs:*:11111111744:*",
                        "arn:aws:logs:*:11111111601:*",
                        "arn:aws:logs:*:11111111804:*",
                        "arn:aws:logs:*:11111111462:*",
                        "arn:aws:logs:*:11111111339:*",
                        "arn:aws:logs:*:11111111975:*"
                    ]
                }
            }
        }
    ]
}

Which you can see a lot of accounts.

WonderPhil
answered 2 years ago
  • DarrenB
    7 months ago

    Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content