本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
跨帳戶交付範例
在此範例中,涉及兩個帳戶。具有日誌產生資源的帳戶是帳戶 A,ID:123456789012,而具有日誌使用資源的帳戶是帳戶 B,ID:111122223333。
帳戶 A 想要使用 ARN arn:aws:bedrock:us-east-1:123456789012:knowledge-base/kb-12345678 從帳戶中的 Amazon Bedrock 知識庫傳遞日誌。
在此範例中,帳戶 A 需要下列許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVendedLogDeliveryForKnowledgeBase",
"Effect": "Allow",
"Action": [
"bedrock:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/XXXXXXXXXX"
},
{
"Sid": "CreateLogDeliveryPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliverySource",
"logs:CreateDelivery"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:*",
"arn:aws:logs:us-east-1:123456789012:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-destination:*"
]
}
]
}
建立交付來源
首先,帳戶 A 會建立交付來源及其基礎知識庫:
aws logs put-delivery-source --name my-delivery-source --log-type APPLICATION_LOGS --resource-arn arn:aws:bedrock:region:AAAAAAAAAAAA:knowledge-base/XXXXXXXXXX
接著,帳戶 B 必須使用下列其中一個流程建立交付目的地:
設定交付至 Amazon S3 儲存貯體
帳戶 B 想要使用 ARN arn:aws:s3::amzn-s3-demo-bucket 接收其 S3 儲存貯體的日誌。在此範例中,帳戶 B 將需要下列許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PutLogDestinationPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
儲存貯體在其儲存貯體政策中將需要下列許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogsDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"123456789012"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:my-delivery-source"
]
}
}
}
]
}
如果儲存貯體使用 SSE-KMS 加密,請確保 AWS KMS 金鑰政策具有適當的許可。例如,如果 KMS 金鑰為 arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,請使用下列項目:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogsGenerateDataKey",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:BBBBBBBBBBBB:key/X",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"AAAAAAAAAAAA"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:AAAAAAAAAAAA:delivery-source:my-delivery-source"
]
}
}
}
]
}
然後,帳戶 B 可以使用 S3 儲存貯體做為目的地資源來建立交付目的地:
aws logs put-delivery-destination --name my-s3-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket"
接下來,帳戶 B 在其新建立的交付目的地上建立交付目的地政策,這會授予帳戶 A 建立日誌交付的許可。將新增至新建立的交付目的地的政策如下:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
此政策將儲存在帳戶 B 的電腦中作為destination-policy-s3.json連接此資源,帳戶 B 將執行下列命令:
aws logs put-delivery-destination-policy --delivery-destination-name my-s3-delivery-destination --delivery-destination-policy file://destination-policy-s3.json
最後,帳戶 A 會建立交付,將帳戶 A 中的交付來源連結至帳戶 B 中的交付目的地。
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-s3-delivery-destination
設定交付至 Firehose 串流
在此範例中,帳戶 B 想要將日誌接收到其 Firehose 串流。Firehose 串流具有下列 ARN,並設定為使用 DirectPut 交付串流類型:
arn:aws:firehose:us-east-1:111122223333:deliverystream/log-delivery-stream
在此範例中,帳戶 B 需要下列許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFirehoseCreateSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
},
{
"Sid": "AllowFirehoseTagging",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:us-east-1:111122223333:deliverystream/X"
},
{
"Sid": "AllowFirehoseDeliveryDestination",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
Firehose 串流必須將標籤LogDeliveryEnabled設定為 true。
帳戶 B 接著會使用 Firehose 串流做為目的地資源來建立交付目的地:
aws logs put-delivery-destination --name my-fh-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:firehose:region:BBBBBBBBBBBB:deliverystream/X"
接下來,帳戶 B 在其新建立的交付目的地上建立交付目的地政策,這會授予帳戶 A 建立日誌交付的許可。要新增至新建立的交付目的地的政策如下:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
此政策會儲存在帳戶 B 的電腦中,做為destination-policy-fh.json連接此資源之用,帳戶 B 會執行下列命令:
aws logs put-delivery-destination-policy --delivery-destination-name my-fh-delivery-destination --delivery-destination-policy file://destination-policy-fh.json
最後,帳戶 A 會建立交付,將帳戶 A 中的交付來源連結至帳戶 B 中的交付目的地。
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-fh-delivery-destination
