Step 2: (Only if using an organization) Create an IAM role
In the previous section, if you created the destination by using an access
policy that grants permissions to the organization that account
111111111111
is in, instead of granting permissions directly to
account 111111111111
, then follow the steps in this section.
Otherwise, you can skip to Step 3: Create an account-level subscription filter
policy.
The steps in this section create an IAM role, which CloudWatch can assume and validate whether the sender account has permission to create a subscription filter against the recipient destination.
Perform the steps in this section in the sender account. The role must exist
in the sender account, and you specify the ARN of this role in the
subscription filter. In this example,
the sender account is 111111111111
.
To create the IAM role necessary for cross-account log subscriptions using AWS Organizations
Create the following trust policy in a file
/TrustPolicyForCWLSubscriptionFilter.json
. Use a text editor to create this policy file; do not use the IAM console.{ "Statement": { "Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Action": "sts:AssumeRole" } }
Create the IAM role that uses this policy. Take note of the
Arn
value that is returned by the command, you will need it later in this procedure. In this example, we useCWLtoSubscriptionFilterRole
for the name of the role we're creating.aws iam create-role \ --role-name CWLtoSubscriptionFilterRole \ --assume-role-policy-document file://~/TrustPolicyForCWLSubscriptionFilter.json
Create a permissions policy to define the actions that CloudWatch Logs can perform on your account.
First, use a text editor to create the following permissions policy in a file named
~/PermissionsForCWLSubscriptionFilter.json
.{ "Statement": [ { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:
region
:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*" } ] }Enter the following command to associate the permissions policy you just created with the role that you created in step 2.
aws iam put-role-policy --role-name CWLtoSubscriptionFilterRole --policy-name Permissions-Policy-For-CWL-Subscription-filter --policy-document file://~/PermissionsForCWLSubscriptionFilter.json
When you have finished, you can proceed to Step 3: Create an account-level subscription filter policy.