stackoom
  简体   繁体   中英

The final policy size is bigger than the limit of 20480 - AWS ELK

 原文  2018-10-24 19:42:32       amazon-web-services/ elasticsearch/ aws-lambda/ elastic-stack

Question

My Use case is to stream all system logs, application logs and aws cloudtrail logs to aws elasticsearch service.

work flow is

application logs --> cloudwatch log group -->default lambda function -->aws es

now i can able to stream 40+ log groups to es. after some point of time i am trying to stream more loggroup to es that time i am unable to stream. i am getting following error

"The final policy size is bigger than the limit of 20480 " 在此处输入图片说明

How to increase policy size

Please help me on this.

updated:

My IAM role inline policy 

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": [
            "arn:aws:logs:*:*:*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": "es:ESHttpPost",
        "Resource": "arn:aws:es:*:*:*"
    }
]

}

2 answers

solution1
 0  2018-10-28 20:14:15

The role you are specifying for CloudWatch to use has too many attached policies. Review the policies and consolidate them using multiple resources for the resource attribute. Alternatively you can create a second role. I recommend the first approach.

solution2
 0  2019-08-27 20:06:17

You can't increase the policy size, but you can remove old ELK lambda policies and replace them with a wildcard policy. This can only be done on AWS command line, as of Aug 2019 AWS does not expose this in the web dashboard.

Three commands to do that (replace us-west-1 with your region):

List all policies: 

$ aws lambda get-policy --function-name <your-ELK-lambda-name> --region us-west-1

Delete an individual policy by its statement ID - once you add wildcard below, all individual policies become redundant and can be removed: 

$ aws lambda remove-permission --function-name <your-ELK-lambda-name> --statement-id <statement-id> --region us-west-1

Add the wildcard policy: 

$ aws lambda add-permission --function-name <your-ELK-lambda-name> --statement-id WildcardPolicy --action "lambda:InvokeFunction" --principal "logs.us-west-1.amazonaws.com" --source-arn "arn:aws:logs:us-west-1:<your-AWS-account-number>:log-group:*" --source-account "<your-AWS-account-number>" --region us-west-1

2 more issues - as you add new logs, it will keep adding policies, so even with the wildcard policy you will have to delete new individual policies because it's not smart enough to not add them. Also, there is a UI glitch - these newly attached logs will not show up on the ELK Lambda web page properly. But at least this will help get past the policy size limit.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question The final policy size is bigger than the limit (20480) aws-cdk LambdaRestApi: The final policy size is bigger than the limit AWS function policy is bigger than the limit AWS policy to limit S3 data size per IAM user Scala AWS size limit AWS DynamoDB put item size limit exception for item size less than 400KB AWS sns subscription filter policy limit AWS API GW Resource Policy document larger than the maximum allowed size AWS Bucket Policy - limit access to a bucket with bucket policy AWS CloudWatch Logs to ELK
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM