1 Answer
- Newest
- Most votes
- Most comments
0
You can use CloudWatch Logs subscriptions to deliver logs to an S3 bucket in your central monitoring account B. This can be done using a CloudWatch Logs Subscription Filter and Kinesis Data Firehose, which will forward the logs to an S3 bucket.
Example bucket policy in Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchLogsToWrite",
"Effect": "Allow",
"Principal": {
"Service": "logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "central-monitoring-account-id"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:region:central-monitoring-account-id:log-group:*"
}
}
}
]
}
Set Up Kinesis Data Firehose in Account B. Configure the delivery stream to write to the S3 bucket you created in the previous step. Create a CloudWatch Logs Subscription Filter in Account B
Example command using AWS CLI to subscribe the log group to the Firehose:
aws logs put-subscription-filter \
--log-group-name <log-group-name> \
--filter-name "FirehoseSubscription" \
--filter-pattern "" \
--destination-arn arn:aws:firehose:region:central-monitoring-account-id:deliverystream/<firehose-name> \
--role-arn arn:aws:iam::<central-monitoring-account-id>:role/<FirehoseRole>
In Account B, create an IAM role that CloudWatch Logs can assume to publish logs to Kinesis Data Firehose. The role should allow actions like firehose:PutRecordBatch.
IAM Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "firehose:PutRecordBatch",
"Resource": "arn:aws:firehose:region:central-monitoring-account-id:deliverystream/<firehose-name>"
}
]
}
Relevant content
- Accepted Answerasked 6 months ago
- Accepted Answerasked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
when we did the cross account configuration, in the cloudwatch subscription filters and metric filter are disabled. we are unable to get those configured in the account B (central monitoring account)