如何跨账户将 CloudWatch 日志推送到 Amazon Data Firehose?
我想将 Amazon CloudWatch 日志从 Amazon Data Firehose 流式传输到不同 AWS 区域的另一个账户。
解决方法
要将 CloudWatch 日志发送到不同区域的 Firehose 流,该区域必须支持 Firehose。
在解决方法的命令中,请将以下值替换为您的值:
- 将111111111111 替换为您的目标账户的 ID
- 将 us-east-1 替换为您的 Firehose 区域
- 将 us-west-2 替换为您的 Amazon Simple Storage Service (Amazon S3) 存储桶区域
- 将 us-east-2 替换为您的目标账户所在区域
- 将 222222222222 替换为您的源账户的 ID
- 将 us-east2 替换为您的 CloudWatch 日志组区域
- 将 us-east-2 替换为您的 Amazon Virtual Private Cloud (Amazon VPC) 流日志区域
- 将 -arn 替换为资源的 ARN
**注意:**如果您在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,请确保您使用的是最新版本的 AWS CLI。
设置目标账户
完成以下步骤:
-
创建 Amazon S3 存储桶:
aws s3api create-bucket --bucket my-bucket --create-bucket-configuration LocationConstraint=us-west-2 --region us-west-2
**注意:**记下输出中存储桶的 ARN,以便在后续步骤中使用。
-
创建具有 Firehose 向 Amazon S3 推送数据所需的权限的信任策略:
{ "Statement": { "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "111111111111" } } } }
-
运行 create-role 命令以创建 IAM 角色并指定信任策略:
aws iam create-role \ --role-name FirehosetoS3Role \ --assume-role-policy-document file://~/TrustPolicyForFirehose.json
**注意:**记下输出中角色的 ARN,以便在后续步骤中使用。
-
要定义 Firehose 可以在目标账户中执行的操作,请使用 JSON 编辑器创建权限策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }
-
运行 put-role-policy 命令以将权限策略与 IAM 角色相关联:
aws iam put-role-policy --role-name FirehosetoS3Role --policy-name Permissions-Policy-For-Firehose --policy-document file://~/PermissionsForFirehose.json
-
为 Firehose 创建目标传输流:
aws firehose create-delivery-stream --delivery-stream-name my-delivery-stream --s3-destination-configuration RoleARN='arn:aws:iam::111111111111:role/FirehosetoS3Role',BucketARN='arn:aws:s3:::my-bucket' --region us-east-1
**注意:**将 RoleARN 和 BucketARN 替换为您的角色和存储桶 ARN。
当您将 S3 对象传输到 Firehose 时,时间戳命名空间表达式中会使用自定义前缀。您可以在时间格式 (yyyy/MM/dd/HH/) 的开头指定额外的前缀。如果前缀以正斜杠 (/) 结尾,则它在 S3 存储桶中显示为文件夹。 -
要查看 DeliveryStreamDescription.DeliveryStreamStatus 属性,请运行 describe-delivery-stream 命令:
aws firehose describe-delivery-stream --delivery-stream-name "my-delivery-stream" --region us-east-1
要确认流处于活动状态,请查看该命令的输出:
{ "DeliveryStreamDescription": { "DeliveryStreamType": "DirectPut", "HasMoreDestinations": false, "DeliveryStreamEncryptionConfiguration": { "Status": "DISABLED" }, "VersionId": "1", "CreateTimestamp": 1604484348.804, "DeliveryStreamARN": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream", "DeliveryStreamStatus": "ACTIVE", "DeliveryStreamName": "my-delivery-stream", "Destinations": [ { "DestinationId": "destinationId-000000000001", "ExtendedS3DestinationDescription": { "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test", "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 5 }, "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CompressionFormat": "UNCOMPRESSED", "S3BackupMode": "Disabled", "CloudWatchLoggingOptions": { "Enabled": false }, "BucketARN": "arn:aws:s3:::my-bucket" }, "S3DestinationDescription": { "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test", "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 5 }, "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CompressionFormat": "UNCOMPRESSED", "CloudWatchLoggingOptions": { "Enabled": false }, "BucketARN": "arn:aws:s3:::my-bucket" } } ] } }
**注意:**记下流的 ARN,以便在后续步骤中使用。
-
创建附加信任策略,以授予 CloudWatch Logs 将数据放入 Firehose 流的权限。添加日志推送到的区域:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.us-east-2.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceArn": [ "arn:aws:logs:us-east-2:sourceAccountId:*", "arn:aws:logs:us-east-2:recipientAccountId:*" ] } } } }
-
要创建附加 IAM 角色以将数据放入 Firehose 流并指定信任策略文件,请运行 create-role 命令:
aws iam create-role \ --role-name CWLtoKinesisFirehoseRole \ --assume-role-policy-document file://~/TrustPolicyForCWL.json
**注意:**记下角色的 ARN,以便在后续步骤中使用。
-
创建权限策略,以定义 CloudWatch Logs 可以在目标账户中执行的操作。包含流的 ARN 和角色的 ARN:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "firehose:ListDeliveryStreams", "Resource": "*" }, { "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream" } ] }
- 要将权限策略与角色相关联,请运行 put-role-policy 命令:
aws iam put-role-policy --role-name CWLtoKinesisFirehoseRole --policy-name Permissions-Policy-For-CWL --policy-document file://~/PermissionsForCWL.json
- 要在目标账户中创建目标账户供源账户发送日志,请运行 put-destination 命令:
aws logs put-destination --destination-name "myDestination" --target-arn "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream" --role-arn "arn:aws:iam::111111111111:role/CWLtoKinesisFirehoseRole" --region us-east-2
**注意:**您可以在任何支持 Firehose 的区域为传输流创建目标。您创建目标的区域必须与日志源区域相同。 为 CloudWatch 目标创建访问策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "222222222222" }, "Action": "logs:PutSubscriptionFilter", "Resource": "arn:aws:logs:us-east-2:111111111111:destination:myDestination" } ] }
- 将该访问策略与 CloudWatch 目标相关联:
aws logs put-destination-policy --destination-name "myDestination" --access-policy file://~/AccessPolicy.json --region us-east-2
- 要验证目标,请运行 describe-destinations 命令:
aws logs describe-destinations --region us-east-2
设置源账户
**注意:**要设置源账户,您必须是该账户的 IAM 管理员用户或根用户。
完成以下步骤:
-
创建信任策略,以授予 Amazon VPC 流日志向 CloudWatch 日志组发送数据的权限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
运行 create-role 命令并指定信任策略:
aws iam create-role \ --role-name PublishFlowLogs \ --assume-role-policy-document file://~/TrustPolicyForVPCFlowLogs.json
**注意:**记下输出中角色的 ARN,以便在后续步骤中使用。
-
要定义 VPC 流日志可以在源账户中执行的操作,请创建权限策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] }
-
要将权限策略与 IAM 角色相关联,请运行 put-role-policy 命令:
aws iam put-role-policy --role-name PublishFlowLogs --policy-name Permissions-Policy-For-VPCFlowLogs --policy-document file://~/PermissionsForVPCFlowLogs.json
-
要配置流日志的目标,请运行 create-log-group 命令以创建 CloudWatch 日志组:
aws logs create-log-group --log-group-name vpc-flow-logs --region us-east-2
-
要启用 VPC 流日志,请运行 create-flow-logs 命令:
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --traffic-type ALL --log-group-name vpc-flow-logs --deliver-logs-permission-arn arn:aws:iam::222222222222:role/PublishFlowLogs --region us-east-2
-
要将 CloudWatch 日志组订阅到目标账户中的 Firehose,请运行 put-subscription-filter 命令:
aws logs put-subscription-filter --log-group-name "vpc-flow-logs" --filter-name "AllTraffic" --filter-pattern "" --destination-arn "arn:aws:logs:us-east-2:111111111111:destination:myDestination" --region us-east-2
要确认日志已发布,请查看 S3 存储桶中是否有新日志。
相关信息
相关内容
- AWS 官方已更新 2 年前