如何跨账户将 CloudWatch 日志推送到 Amazon Data Firehose?

4 分钟阅读
0

我想将 Amazon CloudWatch 日志从 Amazon Data Firehose 流式传输到不同 AWS 区域的另一个账户。

解决方法

要将 CloudWatch 日志发送到不同区域的 Firehose 流,该区域必须支持 Firehose

在解决方法的命令中,请将以下值替换为您的值:

  • 111111111111 替换为您的目标账户的 ID
  • us-east-1 替换为您的 Firehose 区域
  • us-west-2 替换为您的 Amazon Simple Storage Service (Amazon S3) 存储桶区域
  • us-east-2 替换为您的目标账户所在区域
  • 222222222222 替换为您的源账户的 ID
  • us-east2 替换为您的 CloudWatch 日志组区域
  • us-east-2 替换为您的 Amazon Virtual Private Cloud (Amazon VPC) 流日志区域
  • -arn 替换为资源的 ARN

**注意:**如果您在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,请确保您使用的是最新版本的 AWS CLI

设置目标账户

完成以下步骤:

  1. 创建 Amazon S3 存储桶:

    aws s3api create-bucket --bucket my-bucket --create-bucket-configuration LocationConstraint=us-west-2 --region us-west-2

    **注意:**记下输出中存储桶的 ARN,以便在后续步骤中使用。

  2. 创建具有 Firehose 向 Amazon S3 推送数据所需的权限的信任策略

    {
      "Statement": {
        "Effect": "Allow",
        "Principal": {
          "Service": "firehose.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "111111111111"
          }
        }
      }
    }
  3. 运行 create-role 命令以创建 IAM 角色并指定信任策略:

    aws iam create-role \
        --role-name FirehosetoS3Role \
        --assume-role-policy-document file://~/TrustPolicyForFirehose.json

    **注意:**记下输出中角色的 ARN,以便在后续步骤中使用。

  4. 要定义 Firehose 可以在目标账户中执行的操作,请使用 JSON 编辑器创建权限策略

    {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:AbortMultipartUpload",
              "s3:GetBucketLocation",
              "s3:GetObject",
              "s3:ListBucket",
              "s3:ListBucketMultipartUploads",
              "s3:PutObject"
            ],
            "Resource": [
              "arn:aws:s3:::my-bucket",
              "arn:aws:s3:::my-bucket/*"
            ]
          }
        ]
      }
  5. 运行 put-role-policy 命令以将权限策略与 IAM 角色相关联:

    aws iam put-role-policy --role-name FirehosetoS3Role --policy-name Permissions-Policy-For-Firehose --policy-document file://~/PermissionsForFirehose.json
  6. 为 Firehose 创建目标传输流:

    aws firehose create-delivery-stream --delivery-stream-name my-delivery-stream --s3-destination-configuration RoleARN='arn:aws:iam::111111111111:role/FirehosetoS3Role',BucketARN='arn:aws:s3:::my-bucket' --region us-east-1

    **注意:**将 RoleARNBucketARN 替换为您的角色和存储桶 ARN。
    当您将 S3 对象传输到 Firehose 时,时间戳命名空间表达式中会使用自定义前缀。您可以在时间格式 (yyyy/MM/dd/HH/) 的开头指定额外的前缀。如果前缀以正斜杠 (/) 结尾,则它在 S3 存储桶中显示为文件夹。

  7. 要查看 DeliveryStreamDescription.DeliveryStreamStatus 属性,请运行 describe-delivery-stream 命令:

    aws firehose describe-delivery-stream --delivery-stream-name "my-delivery-stream" --region us-east-1

    要确认流处于活动状态,请查看该命令的输出:

    {
      "DeliveryStreamDescription": {
        "DeliveryStreamType": "DirectPut",
        "HasMoreDestinations": false,
        "DeliveryStreamEncryptionConfiguration": {
          "Status": "DISABLED"
        },
        "VersionId": "1",
        "CreateTimestamp": 1604484348.804,
        "DeliveryStreamARN": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream",
        "DeliveryStreamStatus": "ACTIVE",
        "DeliveryStreamName": "my-delivery-stream",
        "Destinations": [
          {
            "DestinationId": "destinationId-000000000001",
            "ExtendedS3DestinationDescription": {
              "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test",
              "BufferingHints": {
                "IntervalInSeconds": 300,
                "SizeInMBs": 5
              },
              "EncryptionConfiguration": {
                "NoEncryptionConfig": "NoEncryption"
              },
              "CompressionFormat": "UNCOMPRESSED",
              "S3BackupMode": "Disabled",
              "CloudWatchLoggingOptions": {
                "Enabled": false
              },
              "BucketARN": "arn:aws:s3:::my-bucket"
            },
            "S3DestinationDescription": {
              "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test",
              "BufferingHints": {
                "IntervalInSeconds": 300,
                "SizeInMBs": 5
              },
              "EncryptionConfiguration": {
                "NoEncryptionConfig": "NoEncryption"
              },
              "CompressionFormat": "UNCOMPRESSED",
              "CloudWatchLoggingOptions": {
                "Enabled": false
              },
              "BucketARN": "arn:aws:s3:::my-bucket"
            }
          }
        ]
      }
    }

    **注意:**记下流的 ARN,以便在后续步骤中使用。

  8. 创建附加信任策略,以授予 CloudWatch Logs 将数据放入 Firehose 流的权限。添加日志推送到的区域:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Principal": {
          "Service": "logs.us-east-2.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringLike": {
            "aws:SourceArn": [
              "arn:aws:logs:us-east-2:sourceAccountId:*",
              "arn:aws:logs:us-east-2:recipientAccountId:*"
            ]
          }
        }
      }
    }
  9. 要创建附加 IAM 角色以将数据放入 Firehose 流并指定信任策略文件,请运行 create-role 命令:

    aws iam create-role \
        --role-name CWLtoKinesisFirehoseRole \
        --assume-role-policy-document file://~/TrustPolicyForCWL.json

    **注意:**记下角色的 ARN,以便在后续步骤中使用。

  10. 创建权限策略,以定义 CloudWatch Logs 可以在目标账户中执行的操作。包含流的 ARN 和角色的 ARN:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "firehose:ListDeliveryStreams",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "firehose:DescribeDeliveryStream",
                "firehose:PutRecord",
                "firehose:PutRecordBatch"
            ],
            "Resource": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream"
        }
    ]
}
  1. 要将权限策略与角色相关联,请运行 put-role-policy 命令:
aws iam put-role-policy --role-name CWLtoKinesisFirehoseRole --policy-name Permissions-Policy-For-CWL --policy-document file://~/PermissionsForCWL.json
  1. 要在目标账户中创建目标账户供源账户发送日志,请运行 put-destination 命令:
aws logs put-destination --destination-name "myDestination" --target-arn "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream" --role-arn "arn:aws:iam::111111111111:role/CWLtoKinesisFirehoseRole" --region us-east-2

**注意:**您可以在任何支持 Firehose 的区域为传输流创建目标。您创建目标的区域必须与日志源区域相同。 为 CloudWatch 目标创建访问策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "222222222222"
      },
      "Action": "logs:PutSubscriptionFilter",
      "Resource": "arn:aws:logs:us-east-2:111111111111:destination:myDestination"
    }
  ]
}
  1. 将该访问策略与 CloudWatch 目标相关联:
aws logs put-destination-policy --destination-name "myDestination" --access-policy file://~/AccessPolicy.json --region us-east-2
  1. 要验证目标,请运行 describe-destinations 命令:
aws logs describe-destinations --region us-east-2

设置源账户

**注意:**要设置源账户,您必须是该账户的 IAM 管理员用户或根用户。

完成以下步骤:

  1. 创建信任策略,以授予 Amazon VPC 流日志向 CloudWatch 日志组发送数据的权限:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "vpc-flow-logs.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  2. 运行 create-role 命令并指定信任策略:

    aws iam create-role \
        --role-name PublishFlowLogs \
           --assume-role-policy-document file://~/TrustPolicyForVPCFlowLogs.json

    **注意:**记下输出中角色的 ARN,以便在后续步骤中使用。

  3. 要定义 VPC 流日志可以在源账户中执行的操作,请创建权限策略:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }
  4. 要将权限策略与 IAM 角色相关联,请运行 put-role-policy 命令:

    aws iam put-role-policy --role-name PublishFlowLogs --policy-name Permissions-Policy-For-VPCFlowLogs --policy-document file://~/PermissionsForVPCFlowLogs.json
  5. 要配置流日志的目标,请运行 create-log-group 命令以创建 CloudWatch 日志组:

    aws logs create-log-group --log-group-name vpc-flow-logs --region us-east-2
  6. 要启用 VPC 流日志,请运行 create-flow-logs 命令:

    aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --traffic-type ALL --log-group-name vpc-flow-logs --deliver-logs-permission-arn arn:aws:iam::222222222222:role/PublishFlowLogs --region us-east-2
  7. 将 CloudWatch 日志组订阅到目标账户中的 Firehose,请运行 put-subscription-filter 命令:

    aws logs put-subscription-filter --log-group-name "vpc-flow-logs" --filter-name "AllTraffic" --filter-pattern "" --destination-arn "arn:aws:logs:us-east-2:111111111111:destination:myDestination" --region us-east-2

    要确认日志已发布,请查看 S3 存储桶中是否有新日志

相关信息

DeliveryStreamDescription

AWS 官方
AWS 官方已更新 2 个月前