本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 步驟 1:建立與 OpenSearch Service 的整合
第一步是建立與 OpenSearch Service 的整合,您只需執行一次。建立整合會在您的帳戶中建立下列資源。
+ 沒有高可用性**[OpenSearch Service 的時間序列集合](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-collections.html)**。
集合是一組 OpenSearch Service *索引*,可一起運作以支援工作負載。
+ 集合的**兩個安全政策**。一個定義加密類型,其具有客戶受管 AWS KMS 金鑰或服務擁有的金鑰。另一個政策定義網路存取,允許 OpenSearch Service 應用程式存取集合。如需詳細資訊,請參閱 [Amazon OpenSearch Service 的靜態資料加密](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html)。
+ **[OpenSearch Service 資料存取政策](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html)**,定義誰可以存取集合中的資料。
+ 將 CloudWatch Logs **[定義為來源的 OpenSearch Service 直接查詢資料來源](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/direct-query-s3.html)**。
+ 名稱為 的**[ OpenSearch Service 應用程式](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html)**`aws-analytics`。應用程式將設定為允許建立工作區。如果名為 的應用程式`aws-analytics`已存在,則會將其更新為新增此集合做為資料來源。
+ **[OpenSearch Service 工作區](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html)**,將託管儀表板,並允許已獲得存取權限的每個人從工作區讀取。
**Topics**
+ [所需的許可](#OpenSearch-Dashboards-Perms)
+ [建立整合](#OpenSearch-Dashboards-Procedure)
## 所需的許可
若要建立整合,您必須登入具有 **CloudWatchOpenSearchDashboardsFullAccess** 受管 IAM 政策或同等許可的帳戶,如下所示。您還必須擁有這些許可,才能刪除整合、建立、編輯和刪除儀表板,以及手動重新整理儀表板。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "CloudWatchOpenSearchDashboardsIntegration",
"Effect": "Allow",
"Action": [
"logs:ListIntegrations",
"logs:GetIntegration",
"logs:DeleteIntegration",
"logs:PutIntegration",
"logs:DescribeLogGroups",
"opensearch:ApplicationAccessAll",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsOpensearchReadAPIs",
"Effect": "Allow",
"Action": [
"aoss:BatchGetCollection",
"aoss:BatchGetLifecyclePolicy",
"es:ListApplications"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsOpensearchCreateServiceLinkedAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "opensearchservice.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "observability.aoss.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsCollectionRequestAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsApplicationRequestAccess",
"Effect": "Allow",
"Action": [
"es:CreateApplication"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/OpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "OpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsCollectionResourceAccess",
"Effect": "Allow",
"Action": [
"aoss:DeleteCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsApplicationResourceAccess",
"Effect": "Allow",
"Action": [
"es:UpdateApplication",
"es:GetApplication"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/OpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsCollectionPolicyAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateSecurityPolicy",
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:DeleteSecurityPolicy",
"aoss:GetAccessPolicy",
"aoss:GetSecurityPolicy"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:collection": "cloudwatch-logs-*",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsAPIAccessAll",
"Effect": "Allow",
"Action": [
"aoss:APIAccessAll"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:collection": "cloudwatch-logs-*"
}
}
},
{
"Sid": "CloudWatchLogsIndexPolicyAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:GetAccessPolicy",
"aoss:CreateLifecyclePolicy",
"aoss:DeleteLifecyclePolicy"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:index": "cloudwatch-logs-*",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsDQSRequestQueryAccess",
"Effect": "Allow",
"Action": [
"es:AddDirectQueryDataSource"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsStartDirectQueryAccess",
"Effect": "Allow",
"Action": [
"opensearch:StartDirectQuery",
"opensearch:GetDirectQuery"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*"
},
{
"Sid": "CloudWatchLogsDQSResourceQueryAccess",
"Effect": "Allow",
"Action": [
"es:GetDirectQueryDataSource",
"es:DeleteDirectQueryDataSource"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsPassRoleAccess",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "directquery.opensearchservice.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsAossTagsAccess",
"Effect": "Allow",
"Action": [
"aoss:TagResource"
],
"Resource": "arn:aws:aoss:*:*:collection/*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsEsApplicationTagsAccess",
"Effect": "Allow",
"Action": [
"es:AddTags"
],
"Resource": "arn:aws:opensearch:*:*:application/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/OpenSearchIntegration": [
"Dashboards"
],
"aws:CalledViaFirst": "logs.amazonaws.com"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "OpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsEsDataSourceTagsAccess",
"Effect": "Allow",
"Action": [
"es:AddTags"
],
"Resource": "arn:aws:opensearch:*:*:datasource/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
],
"aws:CalledViaFirst": "logs.amazonaws.com"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
}
]
}
```
------
## 建立整合
使用這些步驟來建立整合。
**將 CloudWatch Logs 與 整合 Amazon OpenSearch Service**
1. 透過 [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/) 開啟 CloudWatch 主控台。
1. 在左側導覽窗格中,選擇 **Logs Insights**,然後選擇**使用 OpenSearch 分析**索引標籤。
1. 選擇**建立整合**。
1. 對於**整合名稱**,輸入整合的名稱。
1. (選用) 若要加密寫入 OpenSearch Service Serverless 的資料,請輸入您要在 KMS AWS KMS 金鑰 ARN 中使用的金鑰 ARN。 ****如需詳細資訊,請參閱《Amazon OpenSearch Service 開發人員指南》中的[靜態加密](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html)。
1. 對於**資料保留**,輸入您希望保留 OpenSearch Service 資料索引的時間量。這也會定義您可以在儀表板中檢視資料的最長期間。選擇較長的資料保留期會產生額外的搜尋和索引成本。如需詳細資訊,請參閱 [OpenSearch Service Serverless 定價](https://aws.amazon.com/opensearch-service/pricing/)。
最長保留期間為 30 天。
資料保留長度也會用來建立 OpenSearch Service 收集生命週期政策。
1. 對於要**寫入 OpenSearch 集合的 IAM 角色**,建立新的 IAM 角色或選取要用來寫入 OpenSearch Service 集合的現有 IAM 角色。
建立新角色是最簡單的方法,該角色將以必要的許可建立。
**注意**
如果您建立角色,它將具有從帳戶中的所有日誌群組讀取的許可。
如果您想要選取現有的角色,它應該具有 中列出的許可[整合所需的許可](OpenSearch-Dashboards-CreateRole.md)。或者,您可以選擇**使用現有角色**,然後在**驗證所選角色的存取許可**區段中選擇**建立角色**。如此一來,您就可以使用 中列出的許可[整合所需的許可](OpenSearch-Dashboards-CreateRole.md)做為範本並進行修改。例如,如果您想要指定更精細的日誌群組控制。
1. 對於**可以檢視儀表板的 IAM 角色和使用者**,您可以選取如何將存取權授予 IAM 角色和 IAM 使用者,以便取得日誌儀表板存取權:
+ 若要限制只有部分使用者的儀表板存取,請選擇**選取 IAM 角色和可以檢視儀表板的使用者**,然後在文字方塊中搜尋並選取您要授予存取權的 IAM 角色和 IAM 使用者。
+ 若要將儀表板存取權授予所有使用者,請選擇**允許此帳戶中的所有角色和使用者檢視儀表板**。
**重要**
選取角色或使用者,或選擇所有使用者,只會將他們新增至存取儲存儀表板[資料的 OpenSearch Service 集合所需的資料存取政策](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html)。 OpenSearch **若要讓他們能夠檢視付費日誌儀表板,您還必須授予這些角色和使用者 [CloudWatchOpenSearchDashboardAccess](iam-identity-based-access-control-cwl.md#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess)受管 IAM 政策。**
1. 選擇**建立整合**
建立整合需要幾分鐘的時間。