本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
发送到日志的 CloudWatch 日志
用户权限
要启用向日志发送 CloudWatch 日志,您必须使用以下权限登录。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-source:*",
"arn:aws:logs:us-east-1:777788889999:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyCWL",
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:*"
]
}
]
}
日志组和资源策略
接收日志的日志组必须具有包含特定权限的资源策略。如果日志组当前没有资源策略,并且设置日志记录的用户拥有该日志组的logs:PutResourcePolicylogs:DescribeResourcePolicies、和logs:DescribeLogGroups权限,则在您开始将日志发送到 CloudWatch Logs 时, AWS
会自动为其创建以下策略。对于新创建的订阅,资源策略是在日志组级别配置的,其最大大小为 51,200 字节。如果现有的账户级资源策略已经通过通配符授予权限,则不会创建单独的日志组级别策略。要检查特定日志组的 LogGroup 级别资源策略,请使用将--resource-arn参数设置为日志组 ARN 且参数设置为的describe-resource-policies命令。--policy-scope RESOURCE
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
日志组的资源策略限制为 51,200 字节。一旦达到此限制,AWS 就无法添加新权限。这要求客户手动修改策略,以授予delivery.logs.amazonaws.com服务主体对logs:CreateLogStream和logs:PutLogEvents操作的权限。客户应使用带有通配符的日志组名称前缀,例如/aws/vendedlogs/*并在将来创建 Future Delivery 时使用此日志组名称。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
