Can log destination work with KMS encrypted kinesis streams

0

I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }
            }
        }
    ]
}

and the following policy:

{
    "Statement": [
        {
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
        },
        {
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,

thanks

Phil

1 Answer
0
Accepted Answer

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"
                }

PrincipalOrgID isn't allowed for "Service": "logs.us-east-1.amazonaws.com"

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:*:11111111064:*",
                        "arn:aws:logs:*:11111111608:*",
                        "arn:aws:logs:*:11111111423:*",
                        "arn:aws:logs:*:11111111580:*",
                        "arn:aws:logs:*:11111111684:*",
                        "arn:aws:logs:*:11111111264:*",
                        "arn:aws:logs:*:11111111864:*",
                        "arn:aws:logs:*:11111111735:*",
                        "arn:aws:logs:*:11111111215:*",
                        "arn:aws:logs:*:11111111760:*",
                        "arn:aws:logs:*:11111111466:*",
                        "arn:aws:logs:*:11111111704:*",
                        "arn:aws:logs:*:11111111395:*",
                        "arn:aws:logs:*:11111111653:*",
                        "arn:aws:logs:*:11111111392:*",
                        "arn:aws:logs:*:11111111413:*",
                        "arn:aws:logs:*:11111111796:*",
                        "arn:aws:logs:*:11111111914:*",
                        "arn:aws:logs:*:11111111446:*",
                        "arn:aws:logs:*:11111111690:*",
                        "arn:aws:logs:*:11111111199:*",
                        "arn:aws:logs:*:11111111136:*",
                        "arn:aws:logs:*:11111111667:*",
                        "arn:aws:logs:*:11111111731:*",
                        "arn:aws:logs:*:11111111723:*",
                        "arn:aws:logs:*:11111111459:*",
                        "arn:aws:logs:*:11111111365:*",
                        "arn:aws:logs:*:11111111270:*",
                        "arn:aws:logs:*:11111111879:*",
                        "arn:aws:logs:*:11111111658:*",
                        "arn:aws:logs:*:11111111744:*",
                        "arn:aws:logs:*:11111111601:*",
                        "arn:aws:logs:*:11111111804:*",
                        "arn:aws:logs:*:11111111462:*",
                        "arn:aws:logs:*:11111111339:*",
                        "arn:aws:logs:*:11111111975:*"
                    ]
                }
            }
        }
    ]
}

Which you can see a lot of accounts.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions