本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
步驟 1:建立與 OpenSearch Service 的整合
第一步是建立與 OpenSearch Service 的整合,您只需執行一次。建立整合會在您的帳戶中建立下列資源。
-
沒有高可用性OpenSearch Service 的時間序列集合。
集合是一組 OpenSearch Service 索引,可一起運作以支援工作負載。
-
集合的兩個安全政策。一個定義加密類型,其具有客戶受管 AWS KMS 金鑰或服務擁有的金鑰。另一個政策定義網路存取,允許 OpenSearch Service 應用程式存取集合。如需詳細資訊,請參閱 Amazon OpenSearch Service 的靜態資料加密。
-
OpenSearch Service 資料存取政策,定義誰可以存取集合中的資料。
-
將 CloudWatch Logs 定義為來源的 OpenSearch Service 直接查詢資料來源。
-
名稱為 的 OpenSearch Service 應用程式
aws-analytics。應用程式將設定為允許建立工作區。如果名為 的應用程式aws-analytics已存在,則會將其更新為新增此集合做為資料來源。 -
OpenSearch Service 工作區會託管儀表板,並允許已獲得存取權限的每個人從工作區讀取。
所需的許可
若要建立整合,您必須登入具有 CloudWatchOpenSearchDashboardsFullAccess 受管 IAM 政策或同等許可的帳戶,如下所示。您還必須擁有這些許可,才能刪除整合、建立、編輯和刪除儀表板,以及手動重新整理儀表板。
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudWatchOpenSearchDashboardsIntegration", "Effect": "Allow", "Action": [ "logs:ListIntegrations", "logs:GetIntegration", "logs:DeleteIntegration", "logs:PutIntegration", "logs:DescribeLogGroups", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "CloudWatchLogsOpensearchReadAPIs", "Effect": "Allow", "Action": [ "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsOpensearchCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "Condition": { "StringEquals": { "iam:AWSServiceName": "opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsCollectionRequestAccess", "Effect": "Allow", "Action": [ "aoss:CreateCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsApplicationRequestAccess", "Effect": "Allow", "Action": [ "es:CreateApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/OpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsCollectionResourceAccess", "Effect": "Allow", "Action": [ "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsApplicationResourceAccess", "Effect": "Allow", "Action": [ "es:UpdateApplication", "es:GetApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsCollectionPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateSecurityPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:DeleteSecurityPolicy", "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAPIAccessAll", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } }, { "Sid": "CloudWatchLogsIndexPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:GetAccessPolicy", "aoss:CreateLifecyclePolicy", "aoss:DeleteLifecyclePolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:index": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsDQSRequestQueryAccess", "Effect": "Allow", "Action": [ "es:AddDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsStartDirectQueryAccess", "Effect": "Allow", "Action": [ "opensearch:StartDirectQuery", "opensearch:GetDirectQuery" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*" }, { "Sid": "CloudWatchLogsDQSResourceQueryAccess", "Effect": "Allow", "Action": [ "es:GetDirectQueryDataSource", "es:DeleteDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "directquery.opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAossTagsAccess", "Effect": "Allow", "Action": [ "aoss:TagResource" ], "Resource": "arn:aws:aoss:*:*:collection/*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsApplicationTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:application/*", "Condition": { "StringEquals": { "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsDataSourceTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:datasource/*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } } ] }
建立整合
使用這些步驟來建立整合。
將 CloudWatch Logs 與 整合 Amazon OpenSearch Service
透過 https://console.aws.amazon.com/cloudwatch/
開啟 CloudWatch 主控台。 -
在左側導覽窗格中,選擇 Logs Insights,然後選擇使用 OpenSearch 分析索引標籤。
-
選擇建立整合。
-
對於整合名稱,輸入整合的名稱。
-
(選用) 若要加密寫入 OpenSearch Service Serverless 的資料,請輸入您要在 KMS AWS KMS 金鑰 ARN 中使用的金鑰 ARN。 如需詳細資訊,請參閱《Amazon OpenSearch Service 開發人員指南》中的靜態加密。
-
針對資料保留,輸入您希望保留 OpenSearch Service 資料索引的時間量。這也會定義您可以在儀表板中檢視資料的最長期間。選擇較長的資料保留期間會產生額外的搜尋和索引成本。如需詳細資訊,請參閱 OpenSearch Service Serverless 定價
。 最長保留期間為 30 天。
資料保留長度也會用來建立 OpenSearch Service 收集生命週期政策。
-
對於要寫入 OpenSearch 集合的 IAM 角色,請建立新的 IAM 角色或選取要用來寫入 OpenSearch Service 集合的現有 IAM 角色。
建立新角色是最簡單的方法,該角色將以必要的許可建立。
注意
如果您建立角色,它將具有從帳戶中所有日誌群組讀取的許可。
如果您想要選取現有的角色,它應該具有 中列出的許可整合所需的許可。或者,您可以選擇使用現有角色,然後在驗證所選角色的存取許可區段中,選擇建立角色。如此一來,您可以使用 中列出的許可整合所需的許可做為範本並進行修改。例如,如果您想要指定更精細的日誌群組控制。
-
對於可以檢視儀表板的 IAM 角色和使用者,您可以選擇如何將存取權授予 IAM 角色和 IAM 使用者,以便取得日誌儀表板存取權:
-
若要限制只有部分使用者的儀表板存取,請選擇選取 IAM 角色和可以檢視儀表板的使用者,然後在文字方塊中搜尋並選取您要授予存取權的 IAM 角色和 IAM 使用者。
-
若要將儀表板存取權授予所有使用者,請選擇允許此帳戶中的所有角色和使用者檢視儀表板。
重要
選取角色或使用者,或選擇所有使用者,只會將他們新增至存取儲存儀表板資料的 OpenSearch Service 集合所需的資料存取政策。 OpenSearch 若要讓他們能夠檢視付費日誌儀表板,您還必須授予這些角色和使用者 CloudWatchOpenSearchDashboardAccess受管 IAM 政策。
-
-
選擇建立整合
建立整合需要幾分鐘的時間。
