我正在尝试创建一个启用了LogPublishingOptions
的ElasticSearch域。在启用LogPublishingOptions时,ES表示没有足够的权限在Cloudwatch上创建LogStream。
我尝试创建一个具有角色的策略,并将该策略附加到由ES引用的LogGroup,但不起作用。以下是我的ElasticSearch云形成模板,
AWSTemplateFormatVersion: 2010-09-09
Resources:
MYLOGGROUP:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: index_slow
MYESROLE:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: es.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonESFullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
RoleName: !Join
- '-'
- - es
- !Ref 'AWS::Region'
PolicyDocESIndexSlow :
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:PutLogEvents
- logs:CreateLogStream
Resource: 'arn:aws:logs:*'
PolicyName: !Ref MYLOGGROUP
Roles:
- !Ref MYESROLE
MYESDOMAIN:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: 'es-domain'
ElasticsearchVersion: '7.4'
ElasticsearchClusterConfig:
DedicatedMasterCount: 3
DedicatedMasterEnabled: True
DedicatedMasterType: 'r5.large.elasticsearch'
InstanceCount: '2'
InstanceType: 'r5.large.elasticsearch'
EBSOptions:
EBSEnabled: True
VolumeSize: 10
VolumeType: 'gp2'
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Deny
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
AdvancedOptions:
rest.action.multi.allow_explicit_index: True
LogPublishingOptions:
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: !GetAtt
- MYLOGGROUP
- Arn
Enabled: True
VPCOptions:
SubnetIds:
- !Ref MYSUBNET
SecurityGroupIds:
- !Ref MYSECURITYGROUP
MYVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
MYSUBNET:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MYVPC
CidrBlock: 10.0.0.0/16
MYSECURITYGROUP:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: security group for elastic search domain
VpcId: !Ref MYVPC
GroupName: 'SG for ES'
SecurityGroupIngress:
- FromPort: '443'
IpProtocol: tcp
ToPort: '443'
CidrIp: 0.0.0.0/0
在执行时,它创建除MYESDOMAIN之外的所有资源。上面写着
- 为CloudWatch日志日志组INDEX_SLOW指定的资源访问策略未授予Amazon Elasticearch Service创建日志流的足够权限。请检查资源访问策略。(服务:AWSElasticearch,状态码:400,错误码:ValidationException)*
你知道这里少了什么吗?
3条答案
按热度按时间vu8f3i0k1#
更新2021
有一个名为
AWS::Logs::ResourcePolicy
的CloudForment资源,它允许在CF中定义CloudWatch日志的策略。我发现的主要问题是它只接受实数字符串作为值。尝试使用Ref、Join等组装字符串一直被拒绝。如果有人能做到这一点,那就太好了。用YAML编写它更容易,因为JSON需要转义所有的
"
字符。fykwrbwg2#
我认为对于应该更新/设置哪些策略来启用ES写入日志组,这里有一些混淆。
我认为您应该将
PolicyDocESIndexSlow
策略应用于云监控日志。根据我的记忆,这不可能在CloudForms中完成。您必须使用put-resource-policy、对应的API调用或控制台,如下所示:
xdyibdwo3#
最终的代码应该是这样的,
DeployES lambda_unction.py
以及在CF模板中的一些附加组件
只需将下面的
DependsOn
添加到MYESDOMAIN