doc: added s3 policy example to readme
This commit is contained in:
@@ -18,5 +18,50 @@ instances need the following cloudwatch log permissions. Create a policy with th
|
|||||||
- CreateLogGroup
|
- CreateLogGroup
|
||||||
- PutLogEvents
|
- PutLogEvents
|
||||||
|
|
||||||
|
## s3 bucket policy
|
||||||
|
If the cloudwatch logs need to be exported to s3, the bucket needs the following policy. The third statement is irrelevant to this role, but it allows ALB to write log to the s3 bucket.
|
||||||
|
|
||||||
|
```
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Id": "CHG0194311",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "Stmt1438571420001",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "logs.us-east-1.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "s3:GetBucketAcl",
|
||||||
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "Stmt1438571420002",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "logs.us-east-1.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "s3:PutObject",
|
||||||
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET/*",
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:x-amz-acl": "bucket-owner-full-control"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "Stmt1429136633762",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": "arn:aws:iam::127311923021:root"
|
||||||
|
},
|
||||||
|
"Action": "s3:PutObject",
|
||||||
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET/lb/*"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## references:
|
## references:
|
||||||
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
|
||||||
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html
|
||||||
|
|||||||
Reference in New Issue
Block a user