AWS CloudTrail 日志存储在日志帐户的 S3 存储桶中。生成这些日志的轨迹在管理帐户中。我希望 CloudTrail 日志在我的安全账户的 CloudWatch 中可见。
我(主要)使用控制台,我已经设置了各种 EventBridge 权限和角色等,详情如下。但是,每当我尝试在跟踪中启用 CloudWatch 日志时,我都会收到错误消息
An internal error occurred. Refresh the page, and retry.
如何在我的安全账户的 CloudWatch 的日志组中显示 CloudTrail 日志?
账户和组织结构相对简单——四个账户,没有应用SCP:
管理帐户中的 CloudTrail 跟踪将日志存储在日志帐户存储桶中,这是通过存储桶策略启用的(这是模板,占位符值替换为正确的存储桶名称、管理帐户 ID、组织 ID、跟踪名称、区域):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET/AWSLogs/MANAGEMENT_ACCOUNT_ID/*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
}
}
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET/AWSLogs/ORGANISATION_ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
}
}
}
]
}
安全帐户 EventBridge
default
总线具有以下资源权限策略(这是模板,占位符值替换为安全帐户 id、组织 id、区域):
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "allow_all_accounts_from_organization_to_put_events",
"Effect": "Allow",
"Principal": "*",
"Action": "events:PutEvents",
"Resource": "arn:aws:events:REGION:SECURITY_ACCOUNT_ID:event-bus/default",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "ORGANISATION_ID"
}
}
}]
}
安全账户还有一个名为“cloudtrail-logs”的 CloudWatch 日志组。
在管理帐户中,有 TRAIL_NAME CloudTrail 跟踪,我创建了 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色,并附加了以下权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents2",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
]
}
]
}
为了尝试在 CloudWatch 中启用 CloudTrail,我执行以下操作:
在管理帐户中,转到 CloudTrail,单击 TRAIL_NAME 跟踪,然后单击 CloudWatch Logs 的“编辑”(当前显示“未为此跟踪配置 CloudWatch 日志”)。
在生成的编辑屏幕中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
]
}
]
}
An internal error occurred. Refresh the page, and retry.
。如果我去 IAM,我还会发现一个与上面步骤 (3) 中的策略完全匹配的新策略已经创建并附加到 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色。到目前为止对我有帮助的特定资源(这些链接可能最终会过时,所以我在上面提供了详细信息):
通过 CLI 做什么/更新 2021-12-21
已经在 SecurityAccount 中配置了 EventBus 以接受如上所述的事件,然后我使用了 here 的说明。这也不起作用,但失败并显示一条信息更丰富的错误消息:
An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the UpdateTrail operation: You must specify a log group that is owned by this account.
.
这表明账户 B 中的 CloudWatch 不可能监控账户 A 中 CloudTrail 写入的日志,至少不能直接监控。
我现在正在研究是否可以将管理帐户中的 CloudTrail 日志共享到安全帐户中,从而以这种方式创建 CloudWatch 监控(从here开始)。
更详细地说,我做了什么:
aws iam create-role --role-name ROLE_NAME --assume-role-policy-document file://path/to/cloudtrail_assume_role.json
aws iam put-role-policy --role-name ROLE_NAME --policy-name cloudtrail-for-cloudwatch-policy --policy-document file://path/to/role-policy-document.json
aws cloudtrail update-trail --name TRAIL_NAME --cloud-watch-logs-log-group-arn LOG_GROUP_ARN --cloud-watch-logs-role-arn ROLE_ARN
在哪里
cloudtrail_assume_role.json
看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
role-policy-document.json
看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents2",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
]
}
]
}