By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront Real-Time Log Configuration - Cross Account

0

Hi all,

In our AWS Organization We've a LogArchive Centralized Account used by our Security Team where We usually send all CloudWatch logs from all of our Application Accounts "The Accounts where we deploy our Applications Workloads".

We are looking forward to doing the same with CloudFront Real-Time logs , We need to send all of them to this Centralized Log Account.

I tried quickly using the CLI to setup the Real-Time Logs Configuration for one of our CloudFront Distributions pointing to a Kinesis Data Stream and a IAM Role in the LogArchive Account :

  • CLI Command :
aws cloudfront create-realtime-log-config --cli-input-json "file://rtl-config.json"
  • JSON Input :
{
    "EndPoints": [
        {
            "StreamType": "Kinesis",
            "KinesisStreamConfig": {
                "RoleARN": "arn:aws:iam::LogAccountID:role/CloudFrontRealtimeLogConfigRole",
                "StreamARN": "arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream"
            }
        }
    ],
    "Fields": [
        "c-country"
    ],
    "Name": "demorealtime",
    "SamplingRate": 1
}
  • IAM Role Trust RelationShip in the LogArchive Account :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "ApplicationAccountID"
                }
            }
        }
    ]
}
  • Test Results :
An error occurred (AccessDenied) when calling the CreateRealtimeLogConfig operation: Cross-account pass role is not allowed.

So, I was wondering if there is a direct way to send all CloudFront Real-Time Logs to a Cross-Account Kinesis Data Stream/Firehose ?

Thanks

Topics
Networking & Content DeliveryAnalyticsInternet of Things (IoT)Management & Governance
Tags
Amazon CloudFrontAmazon KinesisAmazon CloudWatch Logs
Language
English
Peter Eskandar
asked a year ago689 views
2 Answers
0

Hi, if you follow this resource (https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/), you can see that you need the following:

  • iam policy in source account
  • iam role and trusted policy in target account.

Make sure the iam role account has the appropriate permissions to access and put logs in the kinesis stream.

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • Peter Eskandar
    a year ago

    after updating the IAM Role in the source account as suggested, now I'm recieving a different error :

    An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account.

  • Antonio_Lagrotteria EXPERT
    a year ago

    Note that the IAM role is in the target account. The source account has an iam policy assuming the role name which is defined in the target account. Then in the source account you have to attach it to the proper user/service.. try following the guide step by step.

  • Peter Eskandar
    a year ago

    I followed everything mentioned in the guide. I'm afraid there is no support for Cloudfront Real-Time Logging Cross-Account. this is what I can understand from the recieved error :

    An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account

0

Yes, you are correct .

At the moment Cloudfront real-time logging (CreateRealtimeLogConfig) to Kinesis Data Stream does not support cross-account access.

AWS
Ketan B
answered a year ago
  • Antonio_Lagrotteria EXPERT
    a year ago

    Is there an official source?

  • Ketan B
    a year ago

    Publicly not at the moment.

    But, on the Cloudfront real time logging console page you will get this message: The parameter EndPoint <your KDS ARN> is not valid because it is in a different AWS account

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content