How many accounts could send cloudwatch events to AWS logs destination?
Question
Trying to have a central account processing cloudwatch logs. (Cross account logs forwarding)
Following https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html
After step 7a is complete, in the log data recipient account, associate an access policy with the destination. This policy enables the log data sender account (111111111111) to access the destination in the log data recipient account (999999999999).
There is a limitation * is not possible to be defined in Priciple AWS accounts.
If multiple accounts are sending logs to this destination, each sender account must be listed separately in the policy. This policy does not support specifying * as the Principal or the use of the aws:PrincipalOrgId global key.
Is there any limitation of how many accounts could be granted/attached using access policy?
1 answers
solution1
1 ACCPTED 2020-08-04 04:49:59
With resource policies for cloudwatch logs your only limit is a max policy document length of 5120 characters. Depending on the number of accounts and the size/maturity of your organization I would recommend configuring aws organizations . With aws organizations you can use the principleOrgID condition key in the resource policy to grant any account in your organization permissions to write logs. More information on that strategy can be found here .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.