本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
整合所需的許可
如果您為要使用的整合建立 IAM 角色,而不是允許 CloudWatch Logs 建立角色,則必須包含下列許可和信任政策。如需如何建立 IAM 角色的詳細資訊,請參閱建立角色以將許可委派給 AWS 服務。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "*" ] }, { "Sid": "CloudWatchLogsDescribeLogGroupsAccess", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonOpenSearchCollectionAccess", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } } ] } //Trust Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "TrustPolicyForAmazonOpenSearchDirectQueryService", "Effect": "Allow", "Principal": { "Service": "directquery.opensearchservice.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:opensearch:us-east-1:123456789012:datasource/cloudwatch_logs_*" } } } ] }
注意
先前的角色授予從 帳戶中所有日誌群組讀取的存取權,讓您能夠為任何日誌帳戶建立儀表板,包括跨帳戶日誌群組。如果您想要限制對特定日誌群組的存取,並僅為這些日誌群組建立儀表板,您可以將該政策中的第一個陳述式更新為以下內容:
{ "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*", "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup" ] }
