- 最新
- 最多得票
- 最多評論
As outlined, there can be various ways to control the access to a private VPC. In your specific case, it seems it is a typical access control to a VPC endpoint for CloudWatch Services. What you can do is to
-
Specify a VPC endpoint policy for your CLoudWatch Services, for example: { "Statement": [ { "Sid": "PutOnly", "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } NOTE: modify further detailed requirements on Action and Resources if necessary.
-
Create a specific IAM role allowing the permission for access the VPC CLoudWatch logs
-
Provision the Limited (EC2) instances you will allow to access the VPC CloudWatch endpoint service.
This is inline with your a. using IAM role approach. You might still need to make sure you have Network layer of rules like Security Group to allow the EC2 instance to flow through besides the endpoint policy.
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前