本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 使用 CloudWatch 日志 CloudTrail 进行监控的角色策略文档
<a name="cloudtrail-required-policy-for-cloudwatch-logs"></a>

本节介绍 CloudTrail 角色向 Log CloudWatch s 发送日志事件所需的权限策略。在配置为发送事件时，可以将策略文档附加 CloudTrail 到角色，如中所述[将事件发送到 CloudWatch 日志](send-cloudtrail-events-to-cloudwatch-logs.md)。您也可以使用 IAM 创建角色。有关更多信息，请参阅[创建向 Amazon Web Services 服务委派权限的角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html)或[创建 IAM 角色（Amazon CLI）](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-cli)。

以下示例策略文档包含在您指定的日志组中创建 CloudWatch 日志流以及将 CloudTrail 事件传送到美国东部（俄亥俄州）地区的日志流所需的权限。（这是适用于默认 IAM 角色 `CloudTrail_CloudWatchLogs_Role` 的默认策略。）

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream2014110",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111122223333:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents20141101",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111122223333:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
            ]
        }
    ]
}
```

------

如果您要创建可能用于组织跟踪记录的策略，则需要根据为该角色创建的默认策略对其进行修改。例如，以下策略授予 CloudTrail 在您指定为的值的 CloudWatch 日志组中创建日志日志流以及向该日志流传送 CloudTrail事件所需的权限*log\$1group\$1name*，该权限适用于账户 111111111111 中的两个跟踪和在 111111111111 Amazon 账户中创建的组织跟踪，这些跟踪应用于组织 ID 为： Amazon Organizations *o-exampleorgid*

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream20141101",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111111111111:log-group:log_group_name:log-stream:111111111111_CloudTrail_us-east-2*",
                "arn:aws:logs:us-east-2:111111111111:log-group:log_group_name:log-stream:o-exampleorgid_*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents20141101",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111111111111:log-group:log_group_name:log-stream:111111111111_CloudTrail_us-east-2*",
                "arn:aws:logs:us-east-2:111111111111:log-group:log_group_name:log-stream:o-exampleorgid_*"
            ]
        }
    ]
}
```

------

有关组织跟踪记录的更多信息，请参阅[为组织创建跟踪](creating-trail-organization.md)。