第 2 步:创建destination - Amazon CloudWatch Logs
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

第 2 步:创建destination

重要

此过程中的所有步骤都需要在日志数据接收者账户中完成。

创建目标

  1. 等到 Kinesis Data Firehose 流您在第 1 步:创建 Kinesis Data Firehosed精英stream变为活动状态。可以使用以下命令检查流描述。流状态属性。

    aws firehose describe-delivery-stream --delivery-stream-name "my-delivery-stream"

    此外,请注意交付流描述。交付流流值,因为您需要在后面的步骤中用到它。此命令的示例输出:

    { "DeliveryStreamDescription": { "DeliveryStreamName": "my-delivery-stream", "DeliveryStreamARN": "arn:aws:firehose:us-east-1:222222222222:deliverystream/my-delivery-stream", "DeliveryStreamStatus": "ACTIVE", "DeliveryStreamEncryptionConfiguration": { "Status": "DISABLED" }, "DeliveryStreamType": "DirectPut", "VersionId": "1", "CreateTimestamp": "2021-02-01T23:59:15.567000-08:00", "Destinations": [ { "DestinationId": "destinationId-000000000001", "S3DestinationDescription": { "RoleARN": "arn:aws:iam::222222222222:role/FirehosetoS3Role", "BucketARN": "arn:aws:s3:::firehose-test-bucket1", "BufferingHints": { "SizeInMBs": 5, "IntervalInSeconds": 300 }, "CompressionFormat": "UNCOMPRESSED", "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CloudWatchLoggingOptions": { "Enabled": false } }, "ExtendedS3DestinationDescription": { "RoleARN": "arn:aws:iam::222222222222:role/FirehosetoS3Role", "BucketARN": "arn:aws:s3:::firehose-test-bucket1", "BufferingHints": { "SizeInMBs": 5, "IntervalInSeconds": 300 }, "CompressionFormat": "UNCOMPRESSED", "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "CloudWatchLoggingOptions": { "Enabled": false }, "S3BackupMode": "Disabled" } } ], "HasMoreDestinations": false } }

    您的传输流可能需要一两分钟才会以活动状态显示。

  2. 当交付流处于活动状态时,创建 IAM 角色,该角色将授予 CloudWatch Logs 将数据放入 Kinesis Data Firehose 流的权限。首先,您需要在文件 ~/TrustPolicyForCWL.json 中创建信任策略。使用文本编辑器创建此策略。有关 CloudWatch Logs 终端节点的更多信息,请参阅。Amazon CloudWatch Logs 终端节点和配额

    { "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.us-east-1.amazonaws.com" }, "Action": "sts:AssumeRole" } }
  3. 使用aws iam cre-role命令创建 IAM 角色,并指定刚创建的信任策略文件。

    aws iam create-role \ --role-name CWLtoKinesisFirehoseRole \ --assume-role-policy-document file://~/TrustPolicyForCWL.json

    下面是示例输出。记下返回的Role.Arn值,因为您需要在后面的步骤中用到它。

    { "Role": { "Path": "/", "RoleName": "CWLtoKinesisFirehoseRole", "RoleId": "AROAR3BXASEKYJYWF243H", "Arn": "arn:aws:iam::222222222222:role/CWLtoKinesisFirehoseRole", "CreateDate": "2021-02-02T08:10:43+00:00", "AssumeRolePolicyDocument": { "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.us-east-1.amazonaws.com" }, "Action": "sts:AssumeRole" } } } }
  4. 创建权限策略以定义 CloudWatch Logs 可对您的账户执行的操作。首先,使用文本编辑器在文件中创建权限策略〜/许可证

    { "Statement":[ { "Effect":"Allow", "Action":["firehose:*"], "Resource":["arn:aws:firehose:region:222222222222:*"] } ] }
  5. 通过输入以下命令将权限策略与角色关联:

    aws iam put-role-policy --role-name CWLtoKinesisFirehoseRole --policy-name Permissions-Policy-For-CWL --policy-document file://~/PermissionsForCWL.json
  6. 在 Kinesis Data Firehose 传输流进入活动状态并且您已创建 IAM 角色后,您便可以创建 CloudWatch Logs 目标。

    1. 此步骤不会将访问策略与您的目标关联,它只是完成目标创建的两个步骤中的第一个步骤。记下目的地 .arn返回的有效负载:

      aws logs put-destination \ --destination-name "testFirehoseDestination" \ --target-arn "arn:aws:firehose:us-east-1:222222222222:deliverystream/my-delivery-stream" \ --role-arn "arn:aws:iam::222222222222:role/CWLtoKinesisFirehoseRole" { "destination": { "destinationName": "testFirehoseDestination", "targetArn": "arn:aws:firehose:us-east-1:222222222222:deliverystream/my-delivery-stream", "roleArn": "arn:aws:iam::222222222222:role/CWLtoKinesisFirehoseRole", "arn": "arn:aws:logs:us-east-1:222222222222:destination:testFirehoseDestination"} }
    2. 在前面的步骤完成后,在日志数据接收者账户 (222222222222222222222222222222222222222222222222222222222222222222222222222222222222 此策略使得日志数据发送者账户 (11111111111111) 可以访问日志数据接收者账户 (222222222222222222222222222222222222222222222222222222222222222222222222 您可以使用文本编辑器将此策略放在 ~/AccessPolicy.json 文件中:

      { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principal" : { "AWS" : "111111111111" }, "Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:us-east-1:222222222222:destination:testFirehoseDestination" } ] }
    3. 这将创建一个策略,该策略定义了对目标具有写入权限的人。此策略必须指定 logs:PutSubscriptionFilter 操作才能访问目标。跨账户用户将使用 PutSubscriptionFilter 操作向目标发送日志事件:

      aws logs put-destination-policy \ --destination-name "testFirehoseDestination" \ --access-policy file://~/AccessPolicy.json