本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

日誌交付的其他許可

如果您在複寫器上設定日誌交付，請將以下適當的陳述式附加到基本政策。您只需要啟用目的地的程式碼片段。

Amazon CloudWatch Logs 目的地

當 cloudWatchLogs.enabled 位於logDelivery組態true中時，附加下列陳述式。

{
    "Sid": "CloudWatchLogsLogDeliveryActions",
    "Effect": "Allow",
    "Action": [
        "logs:CreateLogDelivery",
        "logs:PutResourcePolicy",
        "logs:DescribeResourcePolicies",
        "logs:DescribeLogGroups",
        "logs:ListLogDeliveries"
    ],
    "Resource": [
        "*"
    ]
}

Amazon S3 目的地

當 s3.enabled為 時，附加下列陳述式true。用您的目的地儲存貯體名稱取代 <logBucketName>。

[
    {
        "Sid": "S3LogDeliveryActions",
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogDelivery",
            "logs:ListLogDeliveries"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "S3BucketLogDeliveryActions",
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketPolicy",
            "s3:PutBucketPolicy"
        ],
        "Resource": "arn:aws:s3:::<logBucketName>"
    }
]

Firehose 目的地

當 firehose.enabled為 時，附加下列陳述式true。<accountID> 以您的 AWS 帳戶 ID 取代 。

[
    {
        "Sid": "FirehoseLogDeliveryActions",
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogDelivery",
            "logs:ListLogDeliveries",
            "firehose:TagDeliveryStream"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "FirehoseLogDeliveryServiceLinkedRole",
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceLinkedRole"
        ],
        "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
    }
]

如需 vended-logs 許可的詳細資訊，請參閱從 AWS 服務啟用記錄。