Step 2: (Only if using an organization) Create an IAM role

In the previous section, if you created the destination by using an access policy that grants permissions to the organization that account 111111111111 is in, instead of granting permissions directly to account 111111111111, then follow the steps in this section. Otherwise, you can skip to Step 4: Create a subscription filter.

The steps in this section create an IAM role, which CloudWatch can assume and validate whether the sender account has permission to create a subscription filter against the recipient destination.

Perform the steps in this section in the sender account. The role must exist in the sender account, and you specify the ARN of this role in the subscription filter. In this example, the sender account is 111111111111.

To create the IAM role necessary for cross-account log subscriptions using AWS Organizations

Create the following trust policy in a file /TrustPolicyForCWLSubscriptionFilter.json. Use a text editor to create this policy file; do not use the IAM console.
```
{
  "Statement": {
    "Effect": "Allow",
    "Principal": { "Service": "logs.amazonaws.com" },
    "Action": "sts:AssumeRole"
  }
}
```
Create the IAM role that uses this policy. Take note of the Arn value that is returned by the command, you will need it later in this procedure. In this example, we use CWLtoSubscriptionFilterRole for the name of the role we're creating.
```
aws iam create-role \ 
     --role-name CWLtoSubscriptionFilterRole \ 
     --assume-role-policy-document file://~/TrustPolicyForCWLSubscriptionFilter.json
```

Create a permissions policy to define the actions that CloudWatch Logs can perform on your account.

First, use a text editor to create the following permissions policy in a file named ~/PermissionsForCWLSubscriptionFilter.json.


{ 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "logs:PutLogEvents", 
            "Resource": "arn:aws:logs:region:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*" 
        } 
    ] 
}

Enter the following command to associate the permissions policy you just created with the role that you created in step 2.


aws iam put-role-policy  
    --role-name CWLtoSubscriptionFilterRole  
    --policy-name Permissions-Policy-For-CWL-Subscription-filter 
    --policy-document file://~/PermissionsForCWLSubscriptionFilter.json

When you have finished, you can proceed to Step 4: Create a subscription filter.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Step 1: Create a destination

Step 3: Add/validate IAM permissions for the cross-account destination