本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
傳送至 CloudWatch Logs 的日誌
使用者許可
若要啟用傳送日誌至 CloudWatch Logs,您登入時必須具有以下許可。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-source:*",
"arn:aws:logs:us-east-1:777788889999:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyCWL",
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:*"
]
}
]
}
日誌群組和資源政策
日誌送往的日誌群組必須具有包含特定許可的資源政策。如果日誌群組目前沒有資源政策,且設定記錄的使用者具有日誌群組的 logs:PutResourcePolicy、logs:DescribeResourcePolicies 及logs:DescribeLogGroups 許可,則當您開始將日誌傳送至 CloudWatch Logs 時, AWS
會自動建立下列政策。對於新建立的訂閱,資源政策是在日誌群組層級設定,大小上限為 51,200 個位元組。如果現有的帳戶層級資源政策已透過萬用字元授予許可,則不會建立單獨的日誌群組層級政策。若要檢查特定日誌群組的 logGroup 層級資源政策,請使用 describe-resource-policies命令,並將 --resource-arn 參數設定為日誌群組 ARN,並將 --policy-scope 參數設定為 RESOURCE。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
日誌群組的資源政策限制為 51,200 個位元組。一旦達到此限制,AWS 就無法新增新許可。這需要客戶手動修改政策,以授予 logs:CreateLogStream和 logs:PutLogEvents動作delivery.logs.amazonaws.com的服務主體許可。客戶應該將日誌群組名稱字首與萬用字元搭配使用,例如 ,/aws/vendedlogs/*並將此日誌群組名稱用於未來的交付建立。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
