整合所需的許可 - Amazon CloudWatch Logs

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

整合所需的許可

如果您為要使用的整合建立 IAM 角色,而不是允許 CloudWatch Logs 建立角色,則必須包含下列許可和信任政策。如需如何建立 IAM 角色的詳細資訊,請參閱建立角色以將許可委派給 AWS 服務

JSON
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "CloudWatchLogsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:StartQuery",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "CloudWatchLogsDescribeLogGroupsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    },
    {
        "Sid": "AmazonOpenSearchCollectionAccess",
        "Effect": "Allow",
        "Action": [
            "aoss:APIAccessAll"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "aoss:collection": "cloudwatch-logs-*"
            }
        }
    }
  ]
}
注意

先前的角色授予從 帳戶中所有日誌群組讀取的存取權,讓您能夠為任何日誌帳戶建立儀表板,包括跨帳戶日誌群組。如果您想要限制對特定日誌群組的存取,並僅為這些日誌群組建立儀表板,您可以將該政策中的第一個陳述式更新為以下內容:

{
      "Sid": "CloudWatchLogsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:StartQuery",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults"
      ],
      "Resource": [
        "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*",
        "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup"
      ]
}