将云跟踪日志发送到非管理账户的云监控。

huangapple go评论66阅读模式
英文:

Sent Org CloudTrail logs to CloudWatch to Non-Managment Account

问题

我在AWS中有一个组织设置,有一个“管理”帐户和一个“Sec”帐户。我已经将云跟踪的委派管理员权限从“管理”帐户授予了“Sec”帐户。

在“Sec”帐户中,我设置了一个组织云跟踪,所有日志都被传送到一个S3存储桶。这一切都正常运行。

我想设置将云跟踪日志流式传输到CloudWatch,但在“Sec”帐户中,此选项被灰掉,如下所示
将云跟踪日志发送到非管理账户的云监控。

如果我重新登录“管理”帐户,此选项不会被灰掉,可以进行设置。
将云跟踪日志发送到非管理账户的云监控。

这意味着CloudWatch日志将位于“管理”帐户中,而云跟踪日志将位于“Sec”帐户中,这不是我想要的。

为什么在“Sec”帐户中设置CloudWatch日志的选项被灰掉?是否有绕过这个问题的方法?是否可以设置一个组织云跟踪,将日志传送到“Sec”帐户,并将这些日志流式传输到CloudWatch?

英文:

I have an Organization setup in AWS and have a Management account and also a Sec Account. I have Delegated Admin of CloudTrail from the Management account to the Sec Account.

In the Sec account I then setup an Organization CloudTrail and all logs are been delivered to an S3 bucket. This all works fine.

I would like to setup the streaming of the CloudTrail logs to CloudWatch but in the Sec Account this option is greyed out as seen below
将云跟踪日志发送到非管理账户的云监控。

If I log back into the Management account this option is NOT greyed out and can setup this up.
将云跟踪日志发送到非管理账户的云监控。

This would mean that the CloudWatch logs would be in the Management Account and the CloudTrail logs in the Sec Account which is not what I want.

Why is the option to setup CloudWatch logs in the Sec account greyed out and is there a way round this? Is it possible to have an Organization Trail setup to deliver the logs in the Sec Account and also to get those logs streamed into CloudWatch ?

答案1

得分: 1

根据在控制台为您的组织创建路径

> 由于控制台不支持委托管理员帐户配置CloudWatch Logs日志组,因此委托管理员帐户目前无法使用控制台进行操作。委托管理员帐户必须使用AWS CLI或CloudTrail API创建带有CloudWatch Logs日志组的组织路径。

因此,在委托管理员帐户(在您的情况下是Sec帐户)中,您不能通过控制台配置CloudWatch日志组,但可以通过AWS CLI(create-trail)进行操作。示例:

aws cloudtrail create-trail --name 'trail name' --s3-bucket-name 's3 bucket name' --is-multi-region-trail --is-organization-trail --cloud-watch-logs-log-group-arn 'log group arn' --cloud-watch-logs-role-arn 'role arn'
英文:

According to Creating a trail for your organization in the console:

> The delegated administrator account cannot currently configure a
> CloudWatch Logs log group using the console, because the console
> operation is not supported. The delegated administrator account must
> use the AWS CLI or CloudTrail APIs to create an organization trail
> with a CloudWatch Logs log group.

So, from the delegated administrator account (Sec Account in your case) you can't configure the CloudWatch log group through the console, but you can do it through the AWS CLI (create-trail). Example:

aws cloudtrail create-trail --name 'trail name' --s3-bucket-name 's3 bucket name' --is-multi-region-trail --is-organization-trail --cloud-watch-logs-log-group-arn 'log group arn' --cloud-watch-logs-role-arn 'role arn'

huangapple
  • 本文由 发表于 2023年2月27日 19:19:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/75579789.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定