From d06549c15c0d5e115d18869da10e69d325b8505f Mon Sep 17 00:00:00 2001 From: x p k Date: Wed, 3 Apr 2019 17:46:17 +0800 Subject: [PATCH] doc: added s3 policy example to readme --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/README.md b/README.md index 5a273b3..fc02586 100644 --- a/README.md +++ b/README.md @@ -18,5 +18,50 @@ instances need the following cloudwatch log permissions. Create a policy with th - CreateLogGroup - PutLogEvents +## s3 bucket policy +If the cloudwatch logs need to be exported to s3, the bucket needs the following policy. The third statement is irrelevant to this role, but it allows ALB to write log to the s3 bucket. + +``` +{ + "Version": "2012-10-17", + "Id": "CHG0194311", + "Statement": [ + { + "Sid": "Stmt1438571420001", + "Effect": "Allow", + "Principal": { + "Service": "logs.us-east-1.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::MY-S3-BUCKET" + }, + { + "Sid": "Stmt1438571420002", + "Effect": "Allow", + "Principal": { + "Service": "logs.us-east-1.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::MY-S3-BUCKET/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + }, + { + "Sid": "Stmt1429136633762", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::127311923021:root" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::MY-S3-BUCKET/lb/*" + } + ] +} +``` + ## references: - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html +- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html