堆棧內存溢出
  簡體   English   中英

讓 Cloudwatch 將 CreateLogGroup 消息發送到 EventBridge

[英]Getting Cloudwatch to send CreateLogGroup messages to EventBridge

 原文  2023-01-07 16:13:56       amazon-web-services/ amazon-cloudformation/ amazon-cloudwatch/ aws-event-bridge/ amazon-cloudtrail

問題描述

我希望 CloudWatch 將 CreateLogGroup 消息發送到 EventBridge。

我知道這是可能的,但 Cloudwatch 似乎默認情況下不會發送這些消息。 看來您必須配置 CloudTrail 才能讓它轉發消息。 但我找不到有效的 CloudTrail 配置 - 通常部署失敗: AWS::CloudTrail::Trail - "Invalid request provided: Incorrect S3 bucket policy is detected for bucket"

AWSTemplateFormatVersion: '2010-09-09'
Outputs:
  HelloFunction:
    Value:
      Ref: HelloFunction
  WatcherFunction:
    Value:
      Ref: WatcherFunction
  WatcherTrailBucket:
    Value:
      Ref: WatcherTrailBucket
Parameters:
  MemorySizeDefault:
    Default: '512'
    Type: String
  RuntimeVersion:
    Default: '3.8'
    Type: String
  TimeoutDefault:
    Default: '5'
    Type: String
Resources:
  HelloFunction:
    Properties:
      Code:
        ZipFile: |
          def handler(event, context):
              print (event)
      Handler: index.handler
      MemorySize:
        Ref: MemorySizeDefault
      Role:
        Fn::GetAtt:
        - HelloFunctionRole
        - Arn
      Runtime:
        Fn::Sub: python${RuntimeVersion}
      Timeout:
        Ref: TimeoutDefault
    Type: AWS::Lambda::Function
  HelloFunctionRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
      - PolicyDocument:
          Statement:
          - Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Effect: Allow
            Resource: '*'
          Version: '2012-10-17'
        PolicyName:
          Fn::Sub: hello-function-role-policy-${AWS::StackName}
    Type: AWS::IAM::Role
  WatcherFunction:
    Properties:
      Code:
        ZipFile: |
          def handler(event, context):
              print (event)
      Handler: index.handler
      MemorySize:
        Ref: MemorySizeDefault
      Role:
        Fn::GetAtt:
        - WatcherFunctionRole
        - Arn
      Runtime:
        Fn::Sub: python${RuntimeVersion}
      Timeout:
        Ref: TimeoutDefault
    Type: AWS::Lambda::Function
  WatcherFunctionRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
      - PolicyDocument:
          Statement:
          - Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Effect: Allow
            Resource: '*'
          Version: '2012-10-17'
        PolicyName:
          Fn::Sub: watcher-function-role-policy-${AWS::StackName}
    Type: AWS::IAM::Role
  WatcherEventRule:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.logs
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventName:
            - CreateLogGroup
      Targets:
      - Id:
          Fn::Sub: watcher-event-rule-${AWS::StackName}
        Arn:
          Fn::GetAtt:
          - WatcherFunction
          - Arn
      State: ENABLED
  WatcherEventRulePermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      FunctionName:
        Ref: WatcherFunction
      SourceArn:
        Fn::GetAtt:
        - WatcherEventRule
        - Arn
  WatcherTrailBucket:
    Type: AWS::S3::Bucket
  WatcherTrailBucketPolicy:
    DependsOn:
    - WatcherTrailBucket
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
         Ref: WatcherTrailBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: "*"
            Condition: {}
          - Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: "*"
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
  WatcherTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      EventSelectors:
        - ReadWriteType: All
      IsLogging: true
      S3BucketName:
        Ref: WatcherTrailBucket
      IsLogging: true
      S3KeyPrefix: logs/

1 個解決方案

解決方案1
 1 已采納  2023-01-08 11:07:13

您的WatcherTrailWatcherTrailBucketPolicy之前運行,這就是它失敗的原因(CloudFormation 不會按照模板中定義的順序部署資源)。 添加對存儲桶策略的顯式DependsOn依賴項。 此外,您的WatcherTrailBucketPolicy不正確,並且 trial 需要一個名稱。 所以應該是:

  WatcherTrailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
         Ref: WatcherTrailBucket
      PolicyDocument: !Sub |
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {"Service": "cloudtrail.amazonaws.com"},
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::${WatcherTrailBucket}",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceArn": "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/MyTrial"
                        }
                    }
                },
                {
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {"Service": "cloudtrail.amazonaws.com"},
                    "Action": "s3:PutObject",
                    "Resource": "arn:aws:s3:::${WatcherTrailBucket}/logs/AWSLogs/${AWS::AccountId}/*",
                    "Condition": {
                        "StringEquals": {
                            "s3:x-amz-acl": "bucket-owner-full-control",
                            "aws:SourceArn": "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/MyTrial"
                        }
                    }
                }
            ]
        }



  WatcherTrail:
    Type: AWS::CloudTrail::Trail
    DependsOn: WatcherTrailBucketPolicy
    Properties:
      TrailName: MyTrial
      EventSelectors:
        - ReadWriteType: All
      IsLogging: true
      S3BucketName:
        Ref: WatcherTrailBucket
      IsLogging: true
      S3KeyPrefix: logs/

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 EventBridge 消息未發布到 SNS 具有環境變量的 AWS Batch 的 AWS Cloudwatch (EventBridge) 事件規則 如何從 EventBridge 發送事件到 Lambda 將 CloudWatch 日志發送到數據庫 client = boto3.client('eventbridge') 出現錯誤 在 lambda 中發送大量 SQS 消息而不會超時 Cloudwatch Logs Insights 使用多個@messages 如何將特定字段從 EventBridge 輸入發送到其目標 讓 CloudWatch 事件觸發 SQS 發送到 Lambda 一旦處理完所有進行中的 sqs 消息,AWS Eventbridge 規則就會觸發
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM