本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
CloudWatch 管道 IAM 政策和許可
本節提供 CloudWatch 管道的詳細 IAM 需求,包括 API 呼叫者的許可、來源特定政策、信任關係和資源政策。
API 呼叫者許可
在呼叫 CreateTelemetryPipeline API 的管道組態中指定的任何角色 (例如 S3 來源角色、Secrets Manager 存取角色或 CloudWatch Logs 來源角色) 必須具有特定許可才能傳遞角色。
PassRole 許可
對於管道組態中指定的任何角色 (S3 來源角色、Secrets Manager 存取角色或 CloudWatch Logs 來源角色) 而言為必要。
範例 S3 來源的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForS3Source", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" } ] }
範例 Secrets Manager 來源的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForSecretsManagerSource", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" } ] }
範例 CloudWatch Logs 來源的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForCloudWatchLogsSource", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role"" } ] }
管道規則許可
將cloudwatch_logs來源用於建立/更新操作 (logs:PutPipelineRule) 和刪除操作 (logs:DeletePipelineRule) 時,角色也必須具有執行這些操作的許可。
範例 CloudWatch Logs 管道規則的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PipelineRuleForCloudWatchLogs", "Effect": "Allow", "Action": [ "logs:PutPipelineRule", "logs:DeletePipelineRule" ], "Resource": "*" } ] }
使用條件索引鍵減少範圍
若要縮小遙測管道的許可政策範圍,您可以指定條件金鑰,如下列範例所示:
範例 S3 來源的 IAM 政策 (基本)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForS3Source", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role" } ] }
範例 S3 來源的 IAM 政策 (使用條件索引鍵縮小範圍)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForS3Source", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-s3-source-role", "Condition": { "StringEquals": { "iam:PassedToService": [ "telemetry-pipelines.observabilityadmin.amazonaws.com" ], "iam:AssociatedResourceARN": [ "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" ] } } } ] }
範例 Secrets Manager 來源的 IAM 政策 (基本)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForSecretsManagerSource", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role" } ] }
範例 Secrets Manager 來源的 IAM 政策 (使用條件索引鍵縮小範圍)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForSecretsManagerSource", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-secrets-manager-role", "Condition": { "StringEquals": { "iam:PassedToService": [ "telemetry-pipelines.observabilityadmin.amazonaws.com" ], "iam:AssociatedResourceARN": [ "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" ] } } } ] }
範例 CloudWatch Logs 來源的 IAM 政策 (使用條件索引鍵縮小範圍)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRoleForCloudWatchLogsSource", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::your-account-id:role/your-cloudwatch-logs-role", "Condition": { "StringEquals": { "iam:PassedToService": [ "logs.amazonaws.com" ], "iam:AssociatedResourceARN": [ "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/*" ] } } } ] }
來源特定的 IAM 政策
不同的來源類型需要特定的 IAM 許可才能存取其各自的資料來源。
CloudWatch Logs 來源
對於 CloudWatch Logs 來源,管道組態中指定的任何 IAM 角色都必須與 具有信任關係logs.amazonaws.com。
範例 CloudWatch Logs 來源的 IAM 角色信任政策 (基本)
{ "Version": "2012-10-17", "Statement": [ { ""Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
S3 來源
對於 S3 來源,客戶必須提供 IAM 角色存取 S3 物件和 SQS 佇列的許可。
範例 S3 來源的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "s3-access", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" }, { "Sid": "sqs-access", "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:ChangeMessageVisibility" ], "Resource": "arn:aws:sqs:your-region:your-account-id:your-queue-name" }, { "Sid": "kms-access", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id", "Condition": { "Comment": "Only required if S3 buckets and/or SQS queue uses KMS encryption" } } ] }
使用 AWS Secrets Manager 的來源
對於參考 AWS Secrets Manager 的來源 (Microsoft Office 365、Microsoft Entra ID、Palo Alto NGFW),客戶必須提供具有 Secrets Manager 存取權的 IAM 角色。
範例 Secrets Manager 來源的 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "secrets-manager-access", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name*" }, { "Sid": "kms-access", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id", "Condition": { "Comment": "Only required if Secrets Manager uses KMS encryption" } } ] }
信任關係
在管道組態中指定的任何 IAM 角色必須與 CloudWatch 管道服務主體具有信任關係。
管道角色信任政策
所有管道角色都必須信任 telemetry-pipelines.observabilityadmin.amazonaws.com 服務委託人。
範例管道角色的信任政策
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "telemetry-pipelines.observabilityadmin.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
資源政策
寫入日誌群組的管道需要 CloudWatch Logs 資源政策,但使用cloudwatch_logs來源的管道除外。
CloudWatch Logs 資源政策
呼叫 CreateTelemetryPipeline API 後,您會收到管道 ARN。對於來源不是 的管道cloudwatch_logs,客戶必須呼叫 logs:PutResourcePolicy,以允許 CloudWatch 管道服務主體寫入設定的日誌群組。
計時限制條件
在收到管道 ARN 後,您有有限的時段 (不到 5 分鐘) 可建立資源政策。如果管道在政策到位之前變成作用中,則會捨棄資料。
範例 log:PutResourcePolicy 請求
{ "policyName": "resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*", "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "telemetry-pipelines.observabilityadmin.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" } } } ] } }
管理資源政策
本指南提供使用 AWS CLI 為遙測管道建立或更新 CloudWatch Logs 資源政策的步驟。
檢查現有政策:
aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*
這會傳回連接至日誌群組的所有現有資源政策。尋找可能已與您的日誌群組建立關聯的任何政策。
如果不存在資源政策,請建立新的資源政策:
aws logs put-resource-policy \ --region <YOUR-REGION> \ --policy-name "resourceArn": "arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*"\ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "telemetry-pipelines.observabilityadmin.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" } } } ] }'
取代下列預留位置:
-
your-region- 您的 AWS 區域 (例如 us-east-1) -
your-account-id- 您的 12 位數 AWS 帳戶 ID -
your-log-group-name- 您的 CloudWatch Logs 日誌群組名稱 -
your-pipeline-id- 您的遙測管道 ID
如果資源政策已存在,請將新陳述式與其合併:
-
擷取現有的政策:
aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* -
開啟新陳述式
existing-policy.json並將其新增至現有Statement陣列:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "existing-service.amazonaws.com" }, "Action": [ "logs:SomeAction" ] }, { "Effect": "Allow", "Principal": { "Service": "telemetry-pipelines.observabilityadmin.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:observabilityadmin:your-region:your-account-id:telemetry-pipeline/your-pipeline-id" } } } ] } -
更新政策:
aws logs put-resource-policy \ --regionyour-region\ --policy-name resourceArn=arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:* \ --policy-document file://existing-policy.json
確認政策已成功建立或更新:
aws logs describe-resource-policies --resource-arn arn:aws:logs:your-region:your-account-id:log-group:your-log-group-name:*
