How do I stream log data from CloudWatch Logs to a cross-Region and cross-account Kinesis data stream?

2 minute read
0

I need to send log data from Amazon CloudWatch Logs to another AWS account's Amazon Kinesis data stream in a different AWS Region.

Resolution

To deliver CloudWatch log events to Amazon Kinesis Data Streams in different AWS accounts and Regions, set up cross-account log data sharing with subscriptions. Then, to specify the AWS Region, complete the following steps:

  1. Create a destination data stream in Kinesis in the data recipient account with an AWS Identity and Access Management (IAM) role and trust policy.

    To create the data stream, specify the --region when you use the create-stream command. The following example of this command creates the data stream YourStreamName in us-west-2:

    $ aws kinesis create-stream --stream-name "YourStreamName" --shard-count 1 --region us-west-2
  2. In this example, CloudWatch Logs in the us-east-1 Region with the AWS account ID of 111111111111. Then, CloudWatch logs into another AWS user's Kinesis data stream in us-west-2 with the AWS account ID of 999999999999.

    To check the StreamDescription.StreamStatus property, specify the --region when you use the describe-stream command. The following example of this command checks the stream YourStreamName in us-west-2:

    $ kinesis describe-stream --stream-name "YourStreamName" --region us-west-2

    To create the CloudWatch Logs destination, use the put-destination command. Then set the --region for the --role-arn to the same Region as the source CloudWatch logs. In the following example, this command creates the log destination in the recipient account of 999999999999 in us-east-1:

    >aws logs put-destination \
        --destination-name "testDestination" \
        --target-arn "arn:aws:kinesis:us-west-2:222222222222:stream/YourStreamName" \  
        --role-arn "arn:aws:iam::222222222222:role/YourIAMRoleName" --region us-east-1
  3. Create a subscription filter in your sender account. For example, AWS account ID of 999999999999.

  4. (Optional) To check that your data stream works, validate the flow of log events.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.

Related information

Roles terms and concepts