本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
集成所需的权限
如果您创建 IAM 角色供集成使用,则该角色必须包含以下权限和信任策略,而不是允许 L CloudWatch ogs 创建角色。有关如何创建 IAM 角色的更多信息,请参阅创建角色以向 Amazon 服务委派权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "*" ] }, { "Sid": "CloudWatchLogsDescribeLogGroupsAccess", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonOpenSearchCollectionAccess", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } } ] } //Trust Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "TrustPolicyForAmazonOpenSearchDirectQueryService", "Effect": "Allow", "Principal": { "Service": "directquery.opensearchservice.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:opensearch:us-east-1:123456789012:datasource/cloudwatch_logs_*" } } } ] }
注意
前一个角色授予对账户中所有日志组的读取权限,使您能够为任何日志账户(包括跨账户日志组)创建控制面板。如果您想限制对特定日志组的访问权限并仅为这些日志组创建控制面板,则可以将该策略中的第一条语句更新为以下内容:
{ "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*", "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup" ] }