By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Elasticache Logs to Cloudwatch

2

I'm using Elasticache for redis cluster engine 6.2.6. I enabled engine and slow logs to Cloudwatch log group. I saw in the documentation that I need to add a policy to Elasticache to be able to deliver logs or create log streams to Cloudwatch. But i'm not able to edit service linked roles. (I'm an administrator). Is there anything I'm missing ? will be happy to provide some more information if nedded. Thnaks !

  • Dor
    a year ago

    Still struggling with getting the logs, any ideas ?

Topics
DatabaseManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon ElastiCache for RedisAmazon CloudWatchAWS Managed ServicesIAM PoliciesAmazon CloudWatch Logs
Language
English
Dor
asked a year ago1022 views
4 Answers
1

Anyone has an idea why the policy is missing the necessary permissions ?
Might be related to ElastiCache updates ?

Dor
answered a year ago
  • Vrathore
    7 months ago

    @Dor Have you been able to resolve the issue? I'm experiencing the same problem. The documentation isn't very helpful

  • Dor
    7 months ago

    No, Still cant see logs correctly

  • Mayank
    7 months ago

    @Dor @Vrathore we are also facing the same issue, necessary permissions are not present for sending logs to cloudwatch from elasticache.

0

In AWS, service-linked roles have permissions that are defined by the service that uses them. You cannot modify the permissions for these roles. They are designed to ensure that AWS services can securely manage resources in your account.

However, what you may need to do is to ensure that the necessary permissions are in place for CloudWatch to receive logs. If you're using a service-linked role for ElastiCache, the necessary permissions should already be in place, but if you're using a different role, you may need to add them.

The necessary permissions for writing logs to CloudWatch are

  • logs:CreateLogDelivery
  • logs:UpdateLogDelivery
  • logs:DeleteLogDelivery
  • logs:GetLogDelivery
  • logs:ListLogDeliveries

This permission needs to be in the IAM policy for the role that's writing the logs. In the case of ElastiCache, the necessary permissions should already be in place with the service-linked role.

for the outlined steps you can follow this link

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Log_Delivery.html

profile picture
EXPERT
Sedat Salman
answered a year ago
  • Dor
    a year ago

    Thanks for your answer, I'm using a service linked role but the permissions are not in place. I'm adding the policy of the role used by Elasticache. Role: AWSServiceRoleForElastiCache { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress", "cloudwatch:PutMetricData", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", "outposts:ListOutposts", "outposts:ListSites" ], "Resource": "*" } ] }

0

Could anyone please help us with modifying the service linked role policy/permission part for sending logs to cloudwatch from elasticache, ideally all necessary permissions should be present here.

logs:CreateLogDelivery
logs:UpdateLogDelivery
logs:DeleteLogDelivery
logs:GetLogDelivery
logs:ListLogDeliveries
Mayank
answered 7 months ago
0

I was struggling with this for some time, but after opening a case with AWS, I finally was able to solve it.

Problem Overview

Enabling logs in Elasticache requires granting the delivery.logs.amazonaws.com service permission to write into CloudWatch Logs. This service serves as a gateway for logging in and the necessary policy is automatically manged by AWS.

Checking Existing Policies

To verify existing policies, use the AWS Command Line Interface with the following command:

aws logs describe-resource-policies --region region

so in my case, this was totally empty, nothing was allowed

{
    "resourcePolicies": []
}

Adding Policies

Unfortunately, you can't manage these policies through the AWS Management Console. Instead, use awscli or a Terraform resource.

As an example, to grant full access to the mentioned services, execute the following command:

aws logs put-resource-policy --region ap-southeast- --policy-name AWSLogDeliveryWrite20150319 --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"*\"]}]}"

Note: The provided command grants full access; for more granular control, adjust the policy accordingly.

Verification

After updating the policies, revisit your Elasticache Redis settings. Disable and re-enable logs, and you should observe the issue resolved.

Actually, doing this from the console should force AWS to introduce/modify the proper policy automatically, but for some reason, this does not always work as expected

QiQe
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content