AWS:将日志从 Cloudwatch 导出到 Amazon S3 的权限
[英]AWS: Permissions for exporting logs from Cloudwatch to Amazon S3
问题描述
I am trying to export logs from one of my CloudWatch log groups into Amazon S3, using AWS console.
我正在尝试使用 AWS 控制台将日志从我的 CloudWatch 日志组之一导出到 Amazon S3。
I followed the guide from AWS documentation but with little success.我按照AWS 文档中的指南进行操作,但收效甚微。 My organization does not allow me to manage IAM roles/policies, however I was able to find out that my role is allowed all log-related operations ( logs:* on all resources within the account).我的组织不允许我管理 IAM 角色/策略,但是我发现我的角色被允许进行所有与日志相关的操作( logs:*在账户内的所有资源上)。
Currently, I am stuck on the following error message:目前,我遇到以下错误消息:
Could not create export task.
My bucket policy is set in the following way:我的存储桶策略是通过以下方式设置的:
{
[
...
{
"Sid": "Cloudwatch Log Export 1",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-central-1.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "Cloudwatch Log Export 2",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-central-1.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Prior to editing bucket policy, my error message had been在编辑存储桶策略之前,我的错误消息是
Could not create export task.
but editing the bucket policy fixed that.但是编辑存储桶策略解决了这个问题。 I would expect allowing PutObject to do the same, but this has not been the case.我希望允许PutObject做同样的事情,但事实并非如此。
Thank you for help.谢谢你的帮助。
4 个解决方案
解决方案1
1 2022-02-09 13:09:23
Please check this guide Export log data to Amazon S3 using the AWS CLI Policy's looks like the document that you share but slight different.请查看本指南使用 AWS CLI 策略将日志数据导出到 Amazon S3 与您共享的文档相似,但略有不同。 Assuming that you are doing this in same account and same region, please check that you are placing the right region ( in this example is us-east-2)假设您在同一帐户和同一区域执行此操作,请检查您放置的区域是否正确(在此示例中为 us-east-2)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-exported-logs",
"Principal": { "Service": "logs.us-east-2.amazonaws.com" }
},
{
"Action": "s3:PutObject" ,
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-exported-logs/*",
"Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } },
"Principal": { "Service": "logs.us-east-2.amazonaws.com" }
}
]
}
I think that bucket owner full control is not the problem here, the only chance is the region.我认为bucket owner完全控制在这里不是问题,唯一的机会是区域。 Anyway, take a look to the other two examples in case that you were in different accounts/ using role instead user.无论如何,如果您使用不同的帐户/使用角色而不是用户,请查看其他两个示例。
This solved my issue, that was the same that you mention.这解决了我的问题,与您提到的相同。
解决方案2
1 2022-02-25 18:19:28
One thing to check is your encryption settings.要检查的一件事是您的加密设置。 According to https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html根据https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html
Exporting log data to Amazon S3 buckets that are encrypted by AWS KMS is not supported.
Amazon S3-managed keys (SSE-S3) bucket encryption might solve your problem. Amazon S3 托管密钥 (SSE-S3) 存储桶加密可能会解决您的问题。 If you use SSE-KMS, Cloudwatch can't access your encryption key in order to properly encrypt the objects as they are put into the bucket.如果您使用 SSE-KMS,Cloudwatch 无法访问您的加密密钥,以便在对象放入存储桶时正确加密它们。
解决方案3
1 2022-04-02 10:15:52
Ensure when exporting the data you configure the following aptly确保在导出数据时正确配置以下内容
S3 bucket prefix - optional This would be the object name you want to use to store the logs. S3 存储桶前缀 - 可选这将是您要用于存储日志的对象名称。
While creating the policy for PutBucket , you must ensure the object/prefix is captured adequately.在为PutBucket创建策略时,您必须确保充分捕获对象/前缀。 See the diff for the PutBucket statement Resource :请参阅PutBucket语句Resource的差异:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-exported-logs",
"Principal": { "Service": "logs.us-east-2.amazonaws.com" }
},
{
"Action": "s3:PutObject" ,
"Effect": "Allow",
- "Resource": "arn:aws:s3:::my-exported-logs/*",
+ "Resource": "arn:aws:s3:::my-exported-logs/**_where_i_want_to_store_my_logs_***",
"Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } },
"Principal": { "Service": "logs.us-east-2.amazonaws.com" }
}
]
}
解决方案4
0 2022-08-25 14:55:05
I had the same situation and what worked for me is to add the bucket name itself as a resource in the Allow PutObject Sid , like:我遇到了同样的情况,对我有用的是将存储桶名称本身作为资源添加到Allow PutObject Sid中,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogsExportGetBucketAcl",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-west-1.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "AllowLogsExportPutObject",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-west-1.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"my-bucket",
"my-bucket/*"
]
}
]
}
I also believe that all the other answers are relevant, especially using the time in milliseconds.我也相信所有其他答案都是相关的,尤其是以毫秒为单位的时间。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.