本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 日志发送至 Firehose
<a name="AWS-logs-infrastructure-V2-Firehose"></a>

**用户权限**

要启用向 Firehose 发送日志，您必须使用以下权限登录。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ReadWriteAccessForLogDeliveryActions",
            "Effect": "Allow",
            "Action": [
                "logs:GetDelivery",
                "logs:GetDeliverySource",
                "logs:PutDeliveryDestination",
                "logs:GetDeliveryDestinationPolicy",
                "logs:DeleteDeliverySource",
                "logs:PutDeliveryDestinationPolicy",
                "logs:CreateDelivery",
                "logs:GetDeliveryDestination",
                "logs:PutDeliverySource",
                "logs:DeleteDeliveryDestination",
                "logs:DeleteDeliveryDestinationPolicy",
                "logs:DeleteDelivery",
                "logs:UpdateDeliveryConfiguration"
            ],
            "Resource": [
            "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery:*",
    "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-source:*",
    "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:*"
            ]
        },
        {
            "Sid": "ListAccessForLogDeliveryActions",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeDeliveryDestinations",
                "logs:DescribeDeliverySources",
                "logs:DescribeDeliveries",
                "logs:DescribeConfigurationTemplates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowUpdatesToResourcePolicyFH",
            "Effect": "Allow",
            "Action": [
                "firehose:TagDeliveryStream"
            ],
            "Resource": [
            "arn:aws:firehose:{{us-east-1}}:{{111122223333}}:deliverystream/*"
            ]
        },
        {
            "Sid": "CreateServiceLinkedRole",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
        }
    ]
}
```

------

**用于资源权限的 IAM 角色**

由于 Firehose 不使用资源策略， Amazon 因此在设置要发送到 Firehose 的日志时会使用 IAM 角色。 Amazon 创建名**AWSServiceRoleForLogDelivery**为的服务相关角色。此服务相关角色包括以下权限。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "firehose:PutRecord",
                "firehose:PutRecordBatch",
                "firehose:ListTagsForDeliveryStream"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/LogDeliveryEnabled": "true"
                }
            },
            "Effect": "Allow"
        }
    ]
}
```

------

此服务相关角色授予标签设置为的所有 Firehose 传送流`LogDeliveryEnabled`的权限。`true` Amazon 在设置日志记录时，将此标签提供给目标传送流。

此服务相关角色还具有允许 `delivery.logs.amazonaws.com` 服务委托人来代入所需服务相关角色的信任策略。该信任策略如下所示：

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

------