本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 发送到日志的 CloudWatch 日志 **用户权限** 要启用向日志发送 CloudWatch 日志,您必须使用以下权限登录。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReadWriteAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:GetDelivery", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:DeleteDeliverySource", "logs:PutDeliveryDestinationPolicy", "logs:CreateDelivery", "logs:GetDeliveryDestination", "logs:PutDeliverySource", "logs:DeleteDeliveryDestination", "logs:DeleteDeliveryDestinationPolicy", "logs:DeleteDelivery", "logs:UpdateDeliveryConfiguration" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery:*", "arn:aws:logs:{{us-east-1}}:{{444455556666}}:delivery-source:*", "arn:aws:logs:{{us-east-1}}:{{777788889999}}:delivery-destination:*" ] }, { "Sid": "ListAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:DescribeDeliveryDestinations", "logs:DescribeDeliverySources", "logs:DescribeDeliveries", "logs:DescribeConfigurationTemplates" ], "Resource": "*" }, { "Sid": "AllowUpdatesToResourcePolicyCWL", "Effect": "Allow", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{123456789012}}:*" ] } ] } ``` ------ **日志组和资源策略** 接收日志的日志组必须具有包含特定权限的资源策略。如果日志组当前没有资源策略,并且设置日志记录的用户拥有该日志组的`logs:PutResourcePolicy``logs:DescribeResourcePolicies`、和`logs:DescribeLogGroups`权限,则在您开始向日志发送日志时, Amazon 会自动为其创建以下策略。 CloudWatch 对于新创建的订阅,资源策略是在日志组级别配置的,最大大小为 51,200 字节。如果现有的账户级资源策略已经通过通配符授予权限,则不会创建单独的日志组级别策略。要检查特定日志组的 LogGroup 级别资源策略,请使用将`--resource-arn`参数设置为日志组 ARN 且参数设置为的`describe-resource-policies`命令。`--policy-scope` `RESOURCE` ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite20150319", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:{{my-log-group}}:log-stream:*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "{{0123456789}}" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:*" ] } } } ] } ``` ------ 日志组的资源策略限制为 51,200 字节。一旦达到此限制,AWS 就无法添加新权限。这要求客户手动修改策略,以授予`delivery.logs.amazonaws.com`服务主体对`logs:CreateLogStream`和`logs:PutLogEvents`操作的权限。客户应使用带有通配符的日志组名称前缀,例如`/aws/vendedlogs/*`并在将来创建 Future Delivery 时使用此日志组名称。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite20150319", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:{{my-log-group/aws/vendedlogs}}/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "{{0123456789}}" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:{{us-east-1}}:{{111122223333}}:*" ] } } } ] } ``` ------