Cloudwatch Cross account logs in central logging account to be pushed in S3

0

We have source account A (application deployment) where we have enabled cross-account observability using OAM link to the central monitoring account B. We wanted to push these logs from cloudwatch central account B to dedicated S3 bucket in the account B. We were looking for documentation to see if we can perofrm but no poles. policies are helping to push the logs to S3. Could you suggest what method can be used here to have the logs in central monitoring account with complete security compliance.

1 Answer
0

You can use CloudWatch Logs subscriptions to deliver logs to an S3 bucket in your central monitoring account B. This can be done using a CloudWatch Logs Subscription Filter and Kinesis Data Firehose, which will forward the logs to an S3 bucket.

Example bucket policy in Account B

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudWatchLogsToWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "central-monitoring-account-id"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:region:central-monitoring-account-id:log-group:*"
        }
      }
    }
  ]
}

Set Up Kinesis Data Firehose in Account B. Configure the delivery stream to write to the S3 bucket you created in the previous step. Create a CloudWatch Logs Subscription Filter in Account B

Example command using AWS CLI to subscribe the log group to the Firehose:

aws logs put-subscription-filter \
  --log-group-name <log-group-name> \
  --filter-name "FirehoseSubscription" \
  --filter-pattern "" \
  --destination-arn arn:aws:firehose:region:central-monitoring-account-id:deliverystream/<firehose-name> \
  --role-arn arn:aws:iam::<central-monitoring-account-id>:role/<FirehoseRole>

In Account B, create an IAM role that CloudWatch Logs can assume to publish logs to Kinesis Data Firehose. The role should allow actions like firehose:PutRecordBatch.

IAM Role Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "firehose:PutRecordBatch",
      "Resource": "arn:aws:firehose:region:central-monitoring-account-id:deliverystream/<firehose-name>"
    }
  ]
}

profile picture
EXPERT
answered 2 months ago
  • when we did the cross account configuration, in the cloudwatch subscription filters and metric filter are disabled. we are unable to get those configured in the account B (central monitoring account)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions