本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 跨帳戶交付範例
在此範例中,涉及兩個帳戶。具有日誌產生資源的帳戶是帳戶 A,ID:{{123456789012}},而具有日誌使用資源的帳戶是帳戶 B,ID:{{111122223333}}。
帳戶 A 想要使用 ARN arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:knowledge-base/{{kb-12345678}} 從帳戶中的 Amazon Bedrock 知識庫傳遞日誌。
在此範例中,帳戶 A 需要下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowVendedLogDeliveryForKnowledgeBase",
"Effect": "Allow",
"Action": [
"bedrock:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:knowledge-base/{{XXXXXXXXXX}}"
},
{
"Sid": "CreateLogDeliveryPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliverySource",
"logs:CreateDelivery"
],
"Resource": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:*",
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery:*",
"arn:aws:logs:{{us-east-1}}:{{444455556666}}:delivery-destination:*"
]
}
]
}
```
------
## 建立交付來源
首先,帳戶 A 會建立交付來源及其基礎知識庫:
```
aws logs put-delivery-source --name my-delivery-source --log-type APPLICATION_LOGS --resource-arn arn:aws:bedrock:{{region}}:{{AAAAAAAAAAAA}}:knowledge-base/{{XXXXXXXXXX}}
```
接著,帳戶 B 必須使用下列其中一個流程建立交付目的地:
+ [設定交付至 Amazon S3 儲存貯體](#crossaccount-example-delivery-S3)
+ [設定交付至 Firehose 串流](#crossaccount-example-delivery-Firehose)
## 設定交付至 Amazon S3 儲存貯體
帳戶 B 想要使用 ARN arn:aws:s3::amzn-s3-demo-bucket 接收其 S3 儲存貯體的日誌。在此範例中,帳戶 B 將需要下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutLogDestinationPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:*"
}
]
}
```
------
儲存貯體在其儲存貯體政策中將需要下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogsDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/{{123456789012}}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"{{123456789012}}"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
如果儲存貯體使用 SSE-KMS 加密,請確保 AWS KMS 金鑰政策具有適當的許可。例如,如果 KMS 金鑰為 `arn:aws:kms:{{us-east-1}}:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}`,請使用下列項目:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogsGenerateDataKey",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:{{us-east-1}}:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"{{123456789012}}"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
然後,帳戶 B 可以使用 S3 儲存貯體做為目的地資源來建立交付目的地:
```
aws logs put-delivery-destination --name my-s3-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket"
```
接下來,帳戶 B 會在其新建立的交付目的地上建立交付目的地政策,這會授予帳戶 A 建立日誌交付的許可。將新增至新建立的交付目的地的政策如下:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "{{123456789012}}"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:{{amzn-s3-demo-bucket}}"
}
]
}
```
------
此政策會儲存在帳戶 B 的電腦中,做為`destination-policy-s3.json`連接此資源之用,帳戶 B 會執行下列命令:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-s3-delivery-destination --delivery-destination-policy file://destination-policy-s3.json
```
最後,帳戶 A 會建立交付,將帳戶 A 中的交付來源連結至帳戶 B 中的交付目的地。
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:{{region}}:{{BBBBBBBBBBBB}}:delivery-destination:my-s3-delivery-destination
```
## 設定交付至 Firehose 串流
在此範例中,帳戶 B 想要將日誌接收到其 Firehose 串流。Firehose 串流具有下列 ARN,並設定為使用 DirectPut 交付串流類型:
`arn:aws:firehose:{{us-east-1}}:{{111122223333}}:deliverystream/{{log-delivery-stream}}`
在此範例中,帳戶 B 需要下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFirehoseCreateSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
},
{
"Sid": "AllowFirehoseTagging",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:{{us-east-1}}:{{111122223333}}:deliverystream/{{X}}"
},
{
"Sid": "AllowFirehoseDeliveryDestination",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:*"
}
]
}
```
------
Firehose 串流必須將標籤`LogDeliveryEnabled`設定為 `true`。
帳戶 B 接著會使用 Firehose 串流做為目的地資源來建立交付目的地:
```
aws logs put-delivery-destination --name my-fh-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:firehose:{{region}}:{{BBBBBBBBBBBB}}:deliverystream/{{X}}"
```
接下來,帳戶 B 會在其新建立的交付目的地上建立交付目的地政策,這會授予帳戶 A 建立日誌交付的許可。要新增至新建立的交付目的地的政策如下:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "{{123456789012}}"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:{{amzn-s3-demo-bucket}}"
}
]
}
```
------
此政策會儲存在帳戶 B 的電腦中,做為`destination-policy-fh.json`連接此資源之用,帳戶 B 會執行下列命令:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-fh-delivery-destination --delivery-destination-policy file://destination-policy-fh.json
```
最後,帳戶 A 會建立交付,將帳戶 A 中的交付來源連結至帳戶 B 中的交付目的地。
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:{{region}}:{{BBBBBBBBBBBB}}:delivery-destination:my-fh-delivery-destination
```