Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
如何跨账户将 CloudWatch 日志推送到 Amazon Data Firehose?
我想将 Amazon CloudWatch 日志从 Amazon Data Firehose 流式传输到不同 AWS 区域的另一个账户。
解决方法
要将 CloudWatch 日志发送到不同区域的 Firehose 流,该区域必须支持 Firehose。
在解决方法的命令中,请将以下值替换为您的值:
- 将111111111111 替换为您的目标账户的 ID
- 将 us-east-1 替换为您的 Firehose 区域
- 将 us-west-2 替换为您的 Amazon Simple Storage Service (Amazon S3) 存储桶区域
- 将 us-east-2 替换为您的目标账户所在区域
- 将 222222222222 替换为您的源账户的 ID
- 将 us-east2 替换为您的 CloudWatch 日志组区域
- 将 us-east-2 替换为您的 Amazon Virtual Private Cloud (Amazon VPC) 流日志区域
- 将 -arn 替换为资源的 ARN
**注意:**如果您在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,请确保您使用的是最新版本的 AWS CLI。
设置目标账户
完成以下步骤:
-
创建 Amazon S3 存储桶:
aws s3api create-bucket --bucket my-bucket --create-bucket-configuration LocationConstraint=us-west-2 --region us-west-2**注意:**记下输出中存储桶的 ARN,以便在后续步骤中使用。
-
创建具有 Firehose 向 Amazon S3 推送数据所需的权限的信任策略:
{ "Statement": { "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "111111111111" } } } } -
运行 create-role 命令以创建 IAM 角色并指定信任策略:
aws iam create-role \ --role-name FirehosetoS3Role \ --assume-role-policy-document file://~/TrustPolicyForFirehose.json**注意:**记下输出中角色的 ARN,以便在后续步骤中使用。
-
要定义 Firehose 可以在目标账户中执行的操作,请使用 JSON 编辑器创建权限策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] } -
运行 put-role-policy 命令以将权限策略与 IAM 角色相关联:
aws iam put-role-policy --role-name FirehosetoS3Role --policy-name Permissions-Policy-For-Firehose --policy-document file://~/PermissionsForFirehose.json -
为 Firehose 创建目标传输流:
aws firehose create-delivery-stream --delivery-stream-name my-delivery-stream --s3-destination-configuration RoleARN='arn:aws:iam::111111111111:role/FirehosetoS3Role',BucketARN='arn:aws:s3:::my-bucket' --region us-east-1**注意:**将 RoleARN 和 BucketARN 替换为您的角色和存储桶 ARN。
当您将 S3 对象传输到 Firehose 时,时间戳命名空间表达式中会使用自定义前缀。您可以在时间格式 (yyyy/MM/dd/HH/) 的开头指定额外的前缀。如果前缀以正斜杠 (/) 结尾,则它在 S3 存储桶中显示为文件夹。 -
要查看 DeliveryStreamDescription.DeliveryStreamStatus 属性,请运行 describe-delivery-stream 命令:
aws firehose describe-delivery-stream --delivery-stream-name "my-delivery-stream" --region us-east-1要确认流处于活动状态,请查看该命令的输出:
{ "DeliveryStreamDescription": { "DeliveryStreamType": "DirectPut", "HasMoreDestinations": false, "DeliveryStreamEncryptionConfiguration": { "Status": "DISABLED" }, "VersionId": "1", "CreateTimestamp": 1604484348.804, "DeliveryStreamARN": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream", "DeliveryStreamStatus": "ACTIVE", "DeliveryStreamName": "my-delivery-stream", "Destinations": [ { "DestinationId": "destinationId-000000000001", "ExtendedS3DestinationDescription": { "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test", "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 5 }, "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CompressionFormat": "UNCOMPRESSED", "S3BackupMode": "Disabled", "CloudWatchLoggingOptions": { "Enabled": false }, "BucketARN": "arn:aws:s3:::my-bucket" }, "S3DestinationDescription": { "RoleARN": "arn:aws:iam::111111111111:role/FirehosetoS3Role2test", "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 5 }, "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CompressionFormat": "UNCOMPRESSED", "CloudWatchLoggingOptions": { "Enabled": false }, "BucketARN": "arn:aws:s3:::my-bucket" } } ] } }**注意:**记下流的 ARN,以便在后续步骤中使用。
-
创建附加信任策略,以授予 CloudWatch Logs 将数据放入 Firehose 流的权限。添加日志推送到的区域:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.us-east-2.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:SourceArn": [ "arn:aws:logs:us-east-2:sourceAccountId:*", "arn:aws:logs:us-east-2:recipientAccountId:*" ] } } } } -
要创建附加 IAM 角色以将数据放入 Firehose 流并指定信任策略文件,请运行 create-role 命令:
aws iam create-role \ --role-name CWLtoKinesisFirehoseRole \ --assume-role-policy-document file://~/TrustPolicyForCWL.json**注意:**记下角色的 ARN,以便在后续步骤中使用。
-
创建权限策略,以定义 CloudWatch Logs 可以在目标账户中执行的操作。包含流的 ARN 和角色的 ARN:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "firehose:ListDeliveryStreams", "Resource": "*" }, { "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream" } ] }
- 要将权限策略与角色相关联,请运行 put-role-policy 命令:
aws iam put-role-policy --role-name CWLtoKinesisFirehoseRole --policy-name Permissions-Policy-For-CWL --policy-document file://~/PermissionsForCWL.json
- 要在目标账户中创建目标账户供源账户发送日志,请运行 put-destination 命令:
aws logs put-destination --destination-name "myDestination" --target-arn "arn:aws:firehose:us-east-1:111111111111:deliverystream/my-delivery-stream" --role-arn "arn:aws:iam::111111111111:role/CWLtoKinesisFirehoseRole" --region us-east-2
**注意:**您可以在任何支持 Firehose 的区域为传输流创建目标。您创建目标的区域必须与日志源区域相同。 为 CloudWatch 目标创建访问策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "222222222222" }, "Action": "logs:PutSubscriptionFilter", "Resource": "arn:aws:logs:us-east-2:111111111111:destination:myDestination" } ] }
- 将该访问策略与 CloudWatch 目标相关联:
aws logs put-destination-policy --destination-name "myDestination" --access-policy file://~/AccessPolicy.json --region us-east-2
- 要验证目标,请运行 describe-destinations 命令:
aws logs describe-destinations --region us-east-2
设置源账户
**注意:**要设置源账户,您必须是该账户的 IAM 管理员用户或根用户。
完成以下步骤:
-
创建信任策略,以授予 Amazon VPC 流日志向 CloudWatch 日志组发送数据的权限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
运行 create-role 命令并指定信任策略:
aws iam create-role \ --role-name PublishFlowLogs \ --assume-role-policy-document file://~/TrustPolicyForVPCFlowLogs.json**注意:**记下输出中角色的 ARN,以便在后续步骤中使用。
-
要定义 VPC 流日志可以在源账户中执行的操作,请创建权限策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] } -
要将权限策略与 IAM 角色相关联,请运行 put-role-policy 命令:
aws iam put-role-policy --role-name PublishFlowLogs --policy-name Permissions-Policy-For-VPCFlowLogs --policy-document file://~/PermissionsForVPCFlowLogs.json -
要配置流日志的目标,请运行 create-log-group 命令以创建 CloudWatch 日志组:
aws logs create-log-group --log-group-name vpc-flow-logs --region us-east-2 -
要启用 VPC 流日志,请运行 create-flow-logs 命令:
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --traffic-type ALL --log-group-name vpc-flow-logs --deliver-logs-permission-arn arn:aws:iam::222222222222:role/PublishFlowLogs --region us-east-2 -
要将 CloudWatch 日志组订阅到目标账户中的 Firehose,请运行 put-subscription-filter 命令:
aws logs put-subscription-filter --log-group-name "vpc-flow-logs" --filter-name "AllTraffic" --filter-pattern "" --destination-arn "arn:aws:logs:us-east-2:111111111111:destination:myDestination" --region us-east-2要确认日志已发布,请查看 S3 存储桶中是否有新日志。
相关信息
- 语言
- 中文 (简体)
