本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
跨账户传输示例
在此示例中,涉及两个账户。拥有日志生成资源的账户是账户 A,ID:123456789012,拥有日志消耗资源的账户是账户 B,ID:。111122223333
账户 A 想使用 ARN arn: aws: bedrock:: knowledge-base/ 在其账户中提供 Amazon Bedrock 知识库中的日志。us-east-1 123456789012 kb-12345678
对于此示例,账户 A 需要以下权限:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVendedLogDeliveryForKnowledgeBase",
"Effect": "Allow",
"Action": [
"bedrock:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/XXXXXXXXXX"
},
{
"Sid": "CreateLogDeliveryPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliverySource",
"logs:CreateDelivery"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:*",
"arn:aws:logs:us-east-1:123456789012:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-destination:*"
]
}
]
}
创建传输源
首先,账户 A 使用其 bedrock 知识库创建传输源:
aws logs put-delivery-source --name my-delivery-source --log-type APPLICATION_LOGS --resource-arn arn:aws:bedrock:region:AAAAAAAAAAAA:knowledge-base/XXXXXXXXXX
接下来,账户 B 必须使用以下流之一创建传输目标:
配置传输到 Amazon S3 存储桶
用户 B 希望使用 ARN arn:aws:s3:::amzn-s3-demo-bucket 将日志接收到其 S3 存储桶中。对于此示例,账户 B 将需要以下权限:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PutLogDestinationPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
存储桶在其存储桶策略中需要具有以下权限:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogsDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"123456789012"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:my-delivery-source"
]
}
}
}
]
}
如果存储桶使用 SSE-KMS 加密,请确保 AWS KMS 密钥策略具有相应的权限。例如,如果 KMS 密钥是 arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,请使用以下内容:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogsGenerateDataKey",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:BBBBBBBBBBBB:key/X",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"AAAAAAAAAAAA"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:AAAAAAAAAAAA:delivery-source:my-delivery-source"
]
}
}
}
]
}
然后,账户 B 可以创建一个以 S3 存储桶为目标资源的传输目标:
aws logs put-delivery-destination --name my-s3-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket"
接下来,账户 B 在其新创建的传输目标上创建传输目标策略,该策略将授予账户 A 创建日志传输的权限。将添加到新创建的传输目标的策略如下:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
此策略将以 destination-policy-s3.json 形式保存在账户 B 的计算机中。要附加此资源,账户 B 将运行以下命令:
aws logs put-delivery-destination-policy --delivery-destination-name my-s3-delivery-destination --delivery-destination-policy file://destination-policy-s3.json
最后,账户 A 创建传输,将账户 A 中的传输源链接到账户 B 中的传输目标。
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-s3-delivery-destination
配置向 Firehose 流的传输
在此示例中,账户 B 希望将日志接收到其 Firehose 流中。Firehose 直播具有以下 ARN,并且配置为使用传输流类型: DirectPut
arn:aws:firehose:us-east-1:111122223333:deliverystream/log-delivery-stream
对于此示例,账户 B 需要以下权限:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFirehoseCreateSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
},
{
"Sid": "AllowFirehoseTagging",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:us-east-1:111122223333:deliverystream/X"
},
{
"Sid": "AllowFirehoseDeliveryDestination",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
Firehose 流必须将标签 LogDeliveryEnabled 设置为 true。
然后,账户 B 将创建一个以 Firehose 流为目标资源的传输目标:
aws logs put-delivery-destination --name my-fh-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:firehose:region:BBBBBBBBBBBB:deliverystream/X"
接下来,账户 B 在其新创建的传输目标上创建传输目标策略,该策略将授予账户 A 创建日志传输的权限。要添加到新创建的传输目标的策略如下:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
此策略将以 destination-policy-fh.json 形式保存在账户 B 的计算机中。要附加此资源,账户 B 运行以下命令:
aws logs put-delivery-destination-policy --delivery-destination-name my-fh-delivery-destination --delivery-destination-policy file://destination-policy-fh.json
最后,账户 A 创建传输,将账户 A 中的传输源链接到账户 B 中的传输目标。
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-fh-delivery-destination
