Can you take a look at credentials section of config file?
I am working on a configuration file to send logs to directly Cross account CloudWatch, there by to S3 to eliminate the maintanance of S3 buckets at each account level.
I am following this documentation of AWS:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-common-scenarios.html#CloudWatch-Agent-send-to-different-AWS-account
Normally without credentials section, logs were going to same account CloudWatch. But if I add credentials section and add related policies in the sender and receiver account, I couldn't see logs in receiver's CloudWatch.
Config File:
{
"agent": {
"credentials": {
"role_arn": "arn:aws:iam::512425977391:role/CWAgent-Receive-Role"
},
"metrics_collection_interval": 60,
"region": "us-east-1",
"debug": false
},
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "C:\\AppData\\*",
"log_group_name": "Server-1",
"log_stream_name": "{instance_id}",
"retention_in_days": 7
}
]
}
}
}
}
IAM Policy at Sender Account is:
Role Name: CWAgent-Send-Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::512425977391:role/CWAgent-Receive-Role"
]
}
]
}
IAM Policy at Receiver Account is:(Which is added to trust relationship)
Role Name: CWAgent-Receive-Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::166355562301:role/CWAgent-Send-Role"
},
"Action": "sts:AssumeRole"
}
]
}