如何在安全账户的CloudWatch中查看AWS组织的CloudTrail日志？

Question

AWS CloudTrail 日志存储在日志帐户的 S3 存储桶中。生成这些日志的轨迹在管理帐户中。我希望 CloudTrail 日志在我的安全账户的 CloudWatch 中可见。

我（主要）使用控制台，我已经设置了各种 EventBridge 权限和角色等，详情如下。但是，每当我尝试在跟踪中启用 CloudWatch 日志时，我都会收到错误消息

An internal error occurred. Refresh the page, and retry.

如何在我的安全账户的 CloudWatch 的日志组中显示 CloudTrail 日志？

账户和组织结构相对简单——四个账户，没有应用SCP：

管理账户
基础设施账户
安全账户
日志帐户

管理帐户中的 CloudTrail 跟踪将日志存储在日志帐户存储桶中，这是通过存储桶策略启用的（这是模板，占位符值替换为正确的存储桶名称、管理帐户 ID、组织 ID、跟踪名称、区域):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::BUCKET"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET/AWSLogs/MANAGEMENT_ACCOUNT_ID/*/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET/AWSLogs/ORGANISATION_ID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
                }
            }
        }
    ]
}

安全帐户 EventBridge

default

总线具有以下资源权限策略（这是模板，占位符值替换为安全帐户 id、组织 id、区域）：

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "allow_all_accounts_from_organization_to_put_events",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "events:PutEvents",
    "Resource": "arn:aws:events:REGION:SECURITY_ACCOUNT_ID:event-bus/default",
    "Condition": {
      "StringEquals": {
        "aws:PrincipalOrgID": "ORGANISATION_ID"
      }
    }
  }]
}

安全账户还有一个名为“cloudtrail-logs”的 CloudWatch 日志组。

在管理帐户中，有 TRAIL_NAME CloudTrail 跟踪，我创建了 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色，并附加了以下权限策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents2",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
            ]
        }
    ]
}

为了尝试在 CloudWatch 中启用 CloudTrail，我执行以下操作：

在管理帐户中，转到 CloudTrail，单击 TRAIL_NAME 跟踪，然后单击 CloudWatch Logs 的“编辑”（当前显示“未为此跟踪配置 CloudWatch 日志”）。
在生成的编辑屏幕中：

勾选“启用 CloudWatch 日志”
指定现有日志组：cloudtrail-logs
指定现有的 IAM 角色：CloudTrailForCloudWatchLogs-TRAIL_NAME

在此编辑表单的底部有一个“政策文件”下拉菜单，展开后显示以下政策：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailCreateLogStream2014110",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream"
      ],
      "Resource": [
        "arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
      ]
    },
    {
      "Sid": "AWSCloudTrailPutLogEvents20141101",
      "Effect": "Allow",
      "Action": [
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
      ]
    }
  ]
}

单击“编辑”表单底部的“保存更改”按钮会生成错误消息
```
An internal error occurred. Refresh the page, and retry.
```
。如果我去 IAM，我还会发现一个与上面步骤 (3) 中的策略完全匹配的新策略已经创建并附加到 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色。

到目前为止对我有帮助的特定资源（这些链接可能最终会过时，所以我在上面提供了详细信息）：

创建路径并使其正常工作：
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
设置 EventBridge，管理帐户角色：
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-required-policy-for-cloudwatch-logs.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html#ReceivingEventsFromAnotherAccount（请注意，这些说明略有过时，因为它们指的是 CloudWatch 事件总线，现在已处理通过 EventBridge）
这个 StackOverflow 问题与这个问题很接近，但不完全是：它是关于将 CloudWatch 日志从多个账户收集到一个账户中：Cloudtrail 到 Cloudwatch 到另一个账户

通过 CLI 做什么/更新 2021-12-21

已经在 SecurityAccount 中配置了 EventBus 以接受如上所述的事件，然后我使用了 here 的说明。这也不起作用，但失败并显示一条信息更丰富的错误消息：

An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the UpdateTrail operation: You must specify a log group that is owned by this account.

.

这表明账户 B 中的 CloudWatch 不可能监控账户 A 中 CloudTrail 写入的日志，至少不能直接监控。

我现在正在研究是否可以将管理帐户中的 CloudTrail 日志共享到安全帐户中，从而以这种方式创建 CloudWatch 监控（从here开始）。

更详细地说，我做了什么：

aws iam create-role --role-name ROLE_NAME --assume-role-policy-document file://path/to/cloudtrail_assume_role.json
aws iam put-role-policy --role-name ROLE_NAME --policy-name cloudtrail-for-cloudwatch-policy --policy-document file://path/to/role-policy-document.json
aws cloudtrail update-trail --name TRAIL_NAME --cloud-watch-logs-log-group-arn LOG_GROUP_ARN --cloud-watch-logs-role-arn ROLE_ARN

在哪里

cloudtrail_assume_role.json

看起来像这样：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

role-policy-document.json

看起来像这样：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents2",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
                "arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
            ]
        }
    ]
}

如何在安全账户的CloudWatch中查看AWS组织的CloudTrail日志？

问题描述投票：0回答：0

最新问题

如何在安全账户的CloudWatch中查看AWS组织的CloudTrail日志？

问题描述 投票：0回答：0

最新问题

问题描述投票：0回答：0