AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Export CloudWatch log data to Amazon S3 using the console

0

Hi Support, (Side note, not related to this post --> Thank you for the reply to my 1st post on the 26th, I had deleted my post as I figured out what I was doing wrong before I got the reply, sorry for wasting your time.)

I am trying to export CloudWatch Log Group logs to a bucket I created at S3 (bkt-trulab-auth0). I am following this helpful guideline doc, "Export log data to Amazon S3 using the console". I am at step 2 for Same Account Export; Topics

  • Step 1: Create an Amazon S3 bucket
  • Step 2: Set up access permissions
  • Step 3: Set permissions on an S3 bucket
  • (Optional) Step 4: Exporting to a bucket encrypted with SSE-KMS
  • Step 5: Create an export task

Step 2: Set up access permissions To create the export task in step 5, you'll need to be signed on with the AmazonS3ReadOnlyAccess IAM role and with the following permissions: logs:CreateExportTask logs:CancelExportTask logs:DescribeExportTasks logs:DescribeLogStreams logs:DescribeLogGroups

Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

So I need to create a permissions set and reading from the "AWS IAM Identity Center User Guide", it reads: To create a permission set Open the IAM Identity Center console. Under Multi-account permissions, choose Permission sets.

I have opened both the IAM Identity Center > Dashboard and the IAM > Dashboard consoles, but I do not find the* "Multi-account permissions, choose Permission sets" * menu options.

Screenshots below: IAM Identity Center > Dashboard Enter image description here

IAM > Dashboard Enter image description here

Questions:

q1) What is the difference between IAM Identity Center > Dashboard" and IAM > Dashboard as they both have different page layout/options ?

q2) Where do I find the "Multi-account permissions, choose Permission sets" ?

Thank you for you time! Best Regards, Donald Collins

3개 답변
3
수락된 답변

Hello Donald,

To answer your first question, the difference between IAM and IAM Identity Center is that they are two different services. IAM is, first and foremost, a simpler service to use than Identity Center.

However, according to best security practices, we should use the Identity Center. Using IC, we can have SSO, which will also enforce the best practice of least privilege and temporary access tokens using the STS service, which is going to be (talking from experience) a way easier way to set up an architecture with many roles and many users.

In addition, we are going to have a centralized place to manage permissions; we can Integrate Identity Center with existing user directories like Active Directory using SAML 2.0. This allows you to manage users externally and federate access to AWS accounts.

To answer your second question, you do not see this tab because you are using a standalone AWS account instance of IAM Identity Center rather than an AWS Organizations managed account instance. Some advanced features, like multi-account permissions, are not available in the standalone account version.

To use multi-account permissions, you need to set up the IAM Identity Center using an AWS Organizations-managed account instance. This allows you to centrally manage access for multiple AWS accounts from a single Identity Center administration portal.

Here is a link to implement this feature

https://www.youtube.com/watch?v=_KhrGFV_Npw&ab_channel=TinyTechnicalTutorials

profile picture
답변함 8달 전
profile picture
전문가
검토됨 6달 전
profile picture
전문가
검토됨 8달 전
2

Q1: Difference between IAM Identity Center > Dashboard and IAM > Dashboard:

AWS Identity and Access Management (IAM) and IAM Identity Center (formerly known as AWS Single Sign-On or AWS SSO) serve different but complementary roles within AWS's security services.

  • IAM > Dashboard: This is the main dashboard for AWS Identity and Access Management (IAM). IAM is used to manage access to AWS services and resources securely. Here, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. It does not natively support identity federation with external directories or SSO across multiple AWS accounts.

  • IAM Identity Center > Dashboard: IAM Identity Center, on the other hand, is used to manage access to multiple AWS accounts and applications centrally. It provides single sign-on capabilities to make it easier for users to access all their assigned accounts and applications from one place. It supports identity federation and helps in managing permissions for users across multiple AWS accounts.

Q2: Where to find "Multi-account permissions, choose Permission sets":

Enter image description here

Useful Resource:

profile picture
전문가
답변함 8달 전
profile picture
전문가
검토됨 8달 전
  • Hi Osvaldo! Thank you for your quick reply! My account does not have the menu options for "Multi-account permissions" because it is a stand-alone account (thanks Julian for that info). So is there another way for me complete step 2, "Set up access permissions" in order export CloudWatch group logs to S3? ie Step 1: Create an Amazon S3 bucket Step 2: Set up access permissions

    Best Regards, Donald

2

Thank you Julian for your quick reply and insights! I will review the YouTube link to implement, setup IAM Identity Center as an AWS Organization. Best Regards, Donald

profile picture
답변함 8달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠