本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
发送到日志的 CloudWatch 日志
用户权限
要启用向日志发送 CloudWatch 日志,您必须使用以下权限登录。
- JSON
-
-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:GetDelivery", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:DeleteDeliverySource", "logs:PutDeliveryDestinationPolicy", "logs:CreateDelivery", "logs:GetDeliveryDestination", "logs:PutDeliverySource", "logs:DeleteDeliveryDestination", "logs:DeleteDeliveryDestinationPolicy", "logs:DeleteDelivery", "logs:UpdateDeliveryConfiguration" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:delivery:*", "arn:aws:logs:us-east-1:444455556666:delivery-source:*", "arn:aws:logs:us-east-1:777788889999:delivery-destination:*" ] }, { "Sid": "ListAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:DescribeDeliveryDestinations", "logs:DescribeDeliverySources", "logs:DescribeDeliveries", "logs:DescribeConfigurationTemplates" ], "Resource": "*" }, { "Sid": "AllowUpdatesToResourcePolicyCWL", "Effect": "Allow", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:*" ] } ] }
日志组和资源策略
接收日志的日志组必须具有包含特定权限的资源策略。如果日志组当前没有资源策略,并且设置日志记录的用户拥有该日志组的logs:PutResourcePolicylogs:DescribeResourcePolicies、和logs:DescribeLogGroups权限,则在您开始将日志发送到 CloudWatch Logs 时, AWS
会自动为其创建以下策略。
- JSON
-
-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite20150319", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "0123456789" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:logs:us-east-1:111122223333:*" ] } } } ] }
需要额外权限 [V2] 的日志记录
发送到 Amazon S3 的日志