Amazon CloudWatch Logs
用户指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

在运行时修改目标成员资格

您可能遇到必须在您拥有的目标中添加或删除某些用户的成员资格的情况。您可通过新访问策略对您的目标使用 PutDestinationPolicy 操作。在以下示例中,将阻止之前添加的账户 234567890123 再发送任何日志数据,并将启用账户 345678901234

  1. 提取当前与目标 testDestination 关联的策略并记下 AccessPolicy

    Copy
    aws logs describe-destinations \ --destination-name-prefix "testDestination" { "Destinations": [ { "DestinationName": "testDestination", "RoleArn": "arn:aws:iam::123456789012:role/CWLtoKinesisRole", "DestinationArn": "arn:aws:logs:us-east-1:123456789012:destination:testDestination", "TargetArn": "arn:aws:kinesis:us-east-1:123456789012:stream/RootAccess", "AccessPolicy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"234567890123\"}, \"Action\": \"logs:PutSubscriptionFilter\", \"Resource\": \"arn:aws:logs:us-east-1:123456789012:destination:testDestination\"}] }" } ] }
  2. 更新该策略以反映已阻止账户 234567890123,并且已启用账户 345678901234。将此策略放入 ~/NewAccessPolicy.json 文件:

    Copy
    { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principal" : { "AWS" : "345678901234" }, "Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:us-east-1:123456789012:destination:testDestination" } ] }
  3. 调用 PutDestinationPolicy 以将 NewAccessPolicy.json 文件中定义的策略与目标关联:

    Copy
    aws logs put-destination-policy \ --destination-name "testDestination" \ --access-policy file://~/NewAccessPolicy.json

    这将最终禁用账户 ID 234567890123 中的日志事件。一旦账户 345678901234 的所有者使用 PutSubscriptionFilter 创建订阅筛选器,账户 ID 345678901234 中的日志事件就会立即开始流向目标。