本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
步骤 1:创建与 OpenSearch 服务的集成
第一步是创建与 S OpenSearch ervice 的集成,您只需执行一次即可。创建集成将在您的账户中创建以下资源。
没有高可用@@ 性的 OpenSearch Service 时间序列集合。
集合是一组 OpenSearch 服务索引,它们协同工作以支持工作负载。
该集合的@@ 两项安全策略。一种定义了加密类型,即使用客户管理的 AWS KMS 密钥或服务拥有的密钥。另一个策略定义了网络访问权限,允许 OpenSearch 服务应用程序访问集合。有关更多信息,请参阅 Amazon OpenSearch 服务的静态数据加密。
一种 OpenSearch 服务数据访问策略,用于定义谁可以访问集合中的数据。
一种 OpenSearch 服务直接查询数据源,其源定义为 CloudWatch 日志。
名@@ 为的 OpenSearch 服务应用程序
aws-analytics。该应用程序将被配置为允许创建工作区。如果名为的应用程序aws-analytics已经存在,则会对其进行更新以将此集合添加为数据源。一个 OpenSearch 服务工作区,用于托管仪表板,并允许所有被授予访问权限的人从工作区读取。
所需的权限
要创建集成,您必须登录到具有CloudWatchOpenSearchDashboardsFullAccess托管IAM策略或等效权限的账户,如下所示。您还必须具有这些权限才能删除集成、创建、编辑和删除仪表板以及手动刷新仪表板。
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "CloudWatchOpenSearchDashboardsIntegration",
"Effect": "Allow",
"Action": [
"logs:ListIntegrations",
"logs:GetIntegration",
"logs:DeleteIntegration",
"logs:PutIntegration",
"logs:DescribeLogGroups",
"opensearch:ApplicationAccessAll",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsOpensearchReadAPIs",
"Effect": "Allow",
"Action": [
"aoss:BatchGetCollection",
"aoss:BatchGetLifecyclePolicy",
"es:ListApplications"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsOpensearchCreateServiceLinkedAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "opensearchservice.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "observability.aoss.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsCollectionRequestAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsApplicationRequestAccess",
"Effect": "Allow",
"Action": [
"es:CreateApplication"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/OpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "OpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsCollectionResourceAccess",
"Effect": "Allow",
"Action": [
"aoss:DeleteCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsApplicationResourceAccess",
"Effect": "Allow",
"Action": [
"es:UpdateApplication",
"es:GetApplication"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/OpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsCollectionPolicyAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateSecurityPolicy",
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:DeleteSecurityPolicy",
"aoss:GetAccessPolicy",
"aoss:GetSecurityPolicy"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:collection": "cloudwatch-logs-*",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsAPIAccessAll",
"Effect": "Allow",
"Action": [
"aoss:APIAccessAll"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:collection": "cloudwatch-logs-*"
}
}
},
{
"Sid": "CloudWatchLogsIndexPolicyAccess",
"Effect": "Allow",
"Action": [
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:GetAccessPolicy",
"aoss:CreateLifecyclePolicy",
"aoss:DeleteLifecyclePolicy"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aoss:index": "cloudwatch-logs-*",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsDQSRequestQueryAccess",
"Effect": "Allow",
"Action": [
"es:AddDirectQueryDataSource"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:RequestTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsStartDirectQueryAccess",
"Effect": "Allow",
"Action": [
"opensearch:StartDirectQuery",
"opensearch:GetDirectQuery"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*"
},
{
"Sid": "CloudWatchLogsDQSResourceQueryAccess",
"Effect": "Allow",
"Action": [
"es:GetDirectQueryDataSource",
"es:DeleteDirectQueryDataSource"
],
"Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
}
}
},
{
"Sid": "CloudWatchLogsPassRoleAccess",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "directquery.opensearchservice.amazonaws.com",
"aws:CalledViaFirst": "logs.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchLogsAossTagsAccess",
"Effect": "Allow",
"Action": [
"aoss:TagResource"
],
"Resource": "arn:aws:aoss:*:*:collection/*",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "logs.amazonaws.com",
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsEsApplicationTagsAccess",
"Effect": "Allow",
"Action": [
"es:AddTags"
],
"Resource": "arn:aws:opensearch:*:*:application/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/OpenSearchIntegration": [
"Dashboards"
],
"aws:CalledViaFirst": "logs.amazonaws.com"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "OpenSearchIntegration"
}
}
},
{
"Sid": "CloudWatchLogsEsDataSourceTagsAccess",
"Effect": "Allow",
"Action": [
"es:AddTags"
],
"Resource": "arn:aws:opensearch:*:*:datasource/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/CloudWatchOpenSearchIntegration": [
"Dashboards"
],
"aws:CalledViaFirst": "logs.amazonaws.com"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudWatchOpenSearchIntegration"
}
}
}
]
}创建集成
使用以下步骤创建集成。
要将 CloudWatch Logs 与 Amazon OpenSearch Service
打开 CloudWatch 控制台,网址为https://console.aws.amazon.com/cloudwatch/
。 在左侧导航窗格中,选择 Logs Insights,然后选择分析方式 OpenSearch选项卡。
选择创建集成。
在集成名称中,输入集成的名称。
(可选)要加密写入 Serv OpenSearch ice Serverless 的数据,请输入要在 AWS KMS 密钥中使用的KMS密钥ARN。ARN有关更多信息,请参阅《Amazon OpenSearch 服务开发者指南》中的静态加密。
对于数据保留,请输入您希望保留 OpenSearch 服务数据索引的时间长度。这还定义了您可以在仪表板中查看数据的最大时间段。选择较长的数据保留期将产生额外的搜索和索引成本。有关更多信息,请参阅无服务器OpenSearch 服务定价
。 最长保留期为 30 天。
数据保留期限还将用于创建 OpenSearch 服务收集生命周期策略。
对于写入 OpenSearch 集合的IAM角色,请创建一个新IAM角色或选择一个用于写入 OpenSearch 服务集合的现有IAM角色。
创建新角色是最简单的方法,将使用必要的权限创建该角色。
注意
如果您创建了一个角色,则该角色将有权读取账户中的所有日志组。
如果要选择现有角色,则该角色应具有中列出的权限集成所需的权限。或者,您可以选择 “使用现有角色”,然后在 “验证所选角色的访问权限” 部分中选择 “创建角色”。这样,您就可以将中列出的权限集成所需的权限用作模板并对其进行修改。例如,如果您想为日志组指定更精细的控件。
对于可以查看仪表板的IAM角色和用户,您可以选择如何向IAM角色和IAM用户授予对销售日志仪表板访问权限的访问权限:
要将仪表板访问权限仅限于部分用户,请选择选择可以查看仪表板的IAM角色和用户,然后在文本框中搜索并选择要授予访问权限的IAM角色和IAM用户。
要向所有用户授予控制面板访问权限,请选择允许此账户中的所有角色和用户查看仪表板。
重要
选择角色或用户,或者选择所有用户,只会将他们添加到访问存储仪表板数据的 OpenSearch 服务集合所需的数据访问策略中。为了使他们能够查看出售的日志仪表板,您还必须向这些角色和用户授予CloudWatchOpenSearchDashboardAccess托管IAM策略。
选择 “创建集成”
创建集成需要几分钟。
