本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 傳送至 CloudWatch Logs 的日誌 **使用者許可** 若要啟用傳送日誌至 CloudWatch Logs,您登入時必須具有以下許可。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReadWriteAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:GetDelivery", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:DeleteDeliverySource", "logs:PutDeliveryDestinationPolicy", "logs:CreateDelivery", "logs:GetDeliveryDestination", "logs:PutDeliverySource", "logs:DeleteDeliveryDestination", "logs:DeleteDeliveryDestinationPolicy", "logs:DeleteDelivery", "logs:UpdateDeliveryConfiguration" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery:*", "arn:aws:logs:{{us-east-1}}:{{444455556666}}:delivery-source:*", "arn:aws:logs:{{us-east-1}}:{{777788889999}}:delivery-destination:*" ] }, { "Sid": "ListAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:DescribeDeliveryDestinations", "logs:DescribeDeliverySources", "logs:DescribeDeliveries", "logs:DescribeConfigurationTemplates" ], "Resource": "*" }, { "Sid": "AllowUpdatesToResourcePolicyCWL", "Effect": "Allow", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{123456789012}}:*" ] } ] } ``` ------ **日誌群組和資源政策** 日誌送往的日誌群組必須具有包含特定許可的資源政策。如果日誌群組目前沒有資源政策,且設定記錄的使用者具有日誌群組的 `logs:PutResourcePolicy`、`logs:DescribeResourcePolicies` 及`logs:DescribeLogGroups` 許可,則當您開始將日誌傳送至 CloudWatch Logs 時, AWS 會自動建立下列政策。對於新建立的訂閱,資源政策是在日誌群組層級設定,大小上限為 51,200 個位元組。如果現有的帳戶層級資源政策已透過萬用字元授予許可,則不會建立單獨的日誌群組層級政策。若要檢查特定日誌群組的 logGroup 層級資源政策,請使用 `describe-resource-policies`命令,並將 `--resource-arn` 參數設定為日誌群組 ARN,並將 `--policy-scope` 參數設定為 `RESOURCE`。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite20150319", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:{{my-log-group}}:log-stream:*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "{{0123456789}}" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:*" ] } } } ] } ``` ------ 日誌群組的資源政策限制為 51,200 個位元組。一旦達到此限制,AWS 就無法新增新許可。這需要客戶手動修改政策,以授予 `logs:CreateLogStream`和 `logs:PutLogEvents`動作`delivery.logs.amazonaws.com`的服務主體許可。客戶應該將日誌群組名稱字首與萬用字元搭配使用,例如 ,`/aws/vendedlogs/*`並將此日誌群組名稱用於未來的交付建立。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite20150319", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:{{my-log-group/aws/vendedlogs}}/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "{{0123456789}}" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:*" ] } } } ] } ``` ------