# Updating an existing cross-account subscription If you currently have a cross-account logs subscription where the destination account grants permissions only to specific sender accounts, and you want to update this subscription so that the destination account grants access to all accounts in an organization, follow the steps in this section. **Topics** + [ # Step 1: Update the subscription filters ](Cross-Account-Log_Subscription-Update-filter.md) + [ # Step 2: Update the existing destination access policy ](Cross-Account-Log_Subscription-Update-policy.md) # Step 1: Update the subscription filters **Note** This step is needed only for cross-account subscriptions for logs that are created by the services listed in [Enable logging from AWS services](AWS-logs-and-resource-policy.md). If you are not working with logs created by one of these log groups, you can skip to [Step 2: Update the existing destination access policy](Cross-Account-Log_Subscription-Update-policy.md). In certain cases, you must update the subscription filters in all the sender accounts that are sending logs to the destination account. The update adds an IAM role, which CloudWatch can assume and validate that the sender account has permission to send logs to the recipient account. Follow the steps in this section for every sender account that you want to update to use organization ID for the cross-account subscription permissions. In the examples in this section, two accounts, `111111111111` and `222222222222` already have subscription filters created to send logs to account `999999999999`. The existing subscription filter values are as follows: ``` ## Existing Subscription Filter parameter values \ --log-group-name "my-log-group-name" \ --filter-name "RecipientStream" \ --filter-pattern "{$.userIdentity.type = Root}" \ --destination-arn "arn:aws:logs:region:999999999999:destination:testDestination" ``` If you need to find the current subscription filter parameter values, enter the following command. ``` aws logs describe-subscription-filters \ --log-group-name "my-log-group-name" ``` **To update a subscription filter to start using organization IDs for cross-account log permissions** 1. Create the following trust policy in a file `~/TrustPolicyForCWL.json`. Use a text editor to create this policy file; do not use the IAM console. ``` { "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Action": "sts:AssumeRole" } } ``` 1. Create the IAM role that uses this policy. Take note of the `Arn` value of the `Arn` value that is returned by the command, you will need it later in this procedure. In this example, we use `CWLtoSubscriptionFilterRole` for the name of the role we're creating. ``` aws iam create-role \ --role-name CWLtoSubscriptionFilterRole \ --assume-role-policy-document file://~/TrustPolicyForCWL.json ``` 1. Create a permissions policy to define the actions that CloudWatch Logs can perform on your account. 1. First, use a text editor to create the following permissions policy in a file named `/PermissionsForCWLSubscriptionFilter.json`. ``` { "Statement": [ { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:region:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*" } ] } ``` 1. Enter the following command to associate the permissions policy you just created with the role that you created in step 2. ``` aws iam put-role-policy --role-name CWLtoSubscriptionFilterRole --policy-name Permissions-Policy-For-CWL-Subscription-filter --policy-document file://~/PermissionsForCWLSubscriptionFilter.json ``` 1. Enter the following command to update the subscription filter. ``` aws logs put-subscription-filter \ --log-group-name "my-log-group-name" \ --filter-name "RecipientStream" \ --filter-pattern "{$.userIdentity.type = Root}" \ --destination-arn "arn:aws:logs:region:999999999999:destination:testDestination" \ --role-arn "arn:aws:iam::111111111111:role/CWLtoSubscriptionFilterRole" ``` # Step 2: Update the existing destination access policy After you have updated the subscription filters in all of the sender accounts, you can update the destination access policy in the recipient account. In the following examples, the recipient account is `999999999999` and the destination is named `testDestination`. The update enables all accounts that are part of the organization with ID `o-1234567890` to send logs to the recipient account. Only the accounts that have subscription filters created will actually send logs to the recipient account. **To update the destination access policy in the recipient account to start using an organization ID for permissions** 1. In the recipient account, use a text editor to create a `~/AccessPolicy.json` file with the following contents. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": "*", "Action": "logs:PutSubscriptionFilter", "Resource": "arn:aws:logs:us-east-1:999999999999:destination:testDestination", "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "o-1234567890" ] } } } ] } ``` ------ 1. Enter the following command to attach the policy that you just created to the existing destination. To update a destination to use an access policy with an organization ID instead of an access policy that lists specific AWS account IDs, include the `force` parameter. **Warning** If you are working with logs sent by an AWS service listed in [Enable logging from AWS services](AWS-logs-and-resource-policy.md), then before doing this step, you must have first updated the subscription filters in all the sender accounts as explained in [Step 1: Update the subscription filters](Cross-Account-Log_Subscription-Update-filter.md). ``` aws logs put-destination-policy \ --destination-name "testDestination" \ --access-policy file://~/AccessPolicy.json \ --force ```