AWS CloudTrail 日志存储在日志账户的 S3 存储桶中。生成这些日志的跟踪位于管理帐户中。我希望 CloudTrail 日志在我的安全账户的 CloudWatch 中可见。
我(主要)使用控制台,并且设置了各种 EventBridge 权限和角色等,详情如下。但是,每当我尝试在跟踪中启用 CloudWatch 日志时,我都会收到错误消息An internal error occurred. Refresh the page, and retry.
如何使 CloudTrail 日志在我的安全账户的 CloudWatch 的日志组中可见?
账户和组织结构比较简单——四个账户,没有应用SCP:
- 管理账户
- 基础设施帐户
- 安全帐户
- 日志帐户
管理账户中的 CloudTrail 跟踪将日志存储在 Logs Account 存储桶中,这是通过存储桶策略启用的(这是模板,占位符值替换为正确的存储桶名称、管理账户 ID、组织 ID、跟踪名称、区域) :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET/AWSLogs/MANAGEMENT_ACCOUNT_ID/*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
}
}
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET/AWSLogs/ORGANISATION_ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:REGION:MANAGEMENT_ACCOUNT_ID:trail/TRAIL_NAME"
}
}
}
]
}
安全帐户 EventBridgedefault总线上具有以下资源权限策略(这是模板,占位符值替换为安全帐户 ID、组织 ID、区域):
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "allow_all_accounts_from_organization_to_put_events",
"Effect": "Allow",
"Principal": "*",
"Action": "events:PutEvents",
"Resource": "arn:aws:events:REGION:SECURITY_ACCOUNT_ID:event-bus/default",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "ORGANISATION_ID"
}
}
}]
}
安全账户还有一个名为“cloudtrail-logs”的 CloudWatch 日志组。
在管理账户中,有 TRAIL_NAME CloudTrail 跟踪,我创建了 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色,并附加了以下权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents2",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID*"
]
}
]
}
为了尝试在 CloudWatch 中启用 CloudTrail,我执行以下操作:
在管理账户中,转到 CloudTrail,单击 TRAIL_NAME 跟踪,然后单击 CloudWatch Logs 的“编辑”(当前显示“未为此跟踪配置 CloudWatch 日志”)。
在生成的编辑屏幕中:
- 选中“已启用 CloudWatch 日志”
- 指定一个现有的日志组:cloudtrail-logs
- 指定现有 IAM 角色:CloudTrailForCloudWatchLogs-TRAIL_NAME
- 在此编辑表单的底部有一个“政策文档”下拉菜单,展开后会显示以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:MANAGEMENT_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*"
]
}
]
}
- 单击“编辑”表单底部的“保存更改”按钮会生成错误消息
An internal error occurred. Refresh the page, and retry.。如果我转到 IAM,我还会发现一个与上面步骤 (3) 中的策略完全匹配的新策略已创建并附加到 CloudTrailForCloudWatchLogs-TRAIL_NAME 角色。
到目前为止帮助我的具体资源(这些链接最终可能会过时,所以我在上面提供了详细信息):
- 创建跟踪并使其正常工作:
- 设置 EventBridge、管理帐户角色:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-required-policy-for-cloudwatch-logs.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html#ReceivingEventsFromAnotherAccount(请注意,这些说明有些过时,因为它们引用 CloudWatch 事件总线,现在由 EventBridge 处理)
- 这个 StackOverflow 问题与这个问题很接近,但不完全是:它是关于将 CloudWatch 日志从多个账户收集到一个账户中:Cloudtrail to Cloudwatch to other account
通过 CLI 执行此操作怎么样/更新 2021-12-21
如上所述,已经在 SecurityAccount 中配置了 EventBus 以接受事件,然后我使用了此处的说明。这也不起作用,但会失败并显示更多信息的错误消息:An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the UpdateTrail operation: You must specify a log group that is owned by this account..
这表明账户 B 中的 CloudWatch 无法监控账户 A 中 CloudTrail 写入的日志,至少不能直接监控。
我现在正在调查是否可以将 CloudTrail 日志从管理账户共享到安全账户,然后以这种方式创建 CloudWatch 监控(从这里开始)。
更详细地说,我做了什么:
aws iam create-role --role-name ROLE_NAME --assume-role-policy-document file://path/to/cloudtrail_assume_role.json
aws iam put-role-policy --role-name ROLE_NAME --policy-name cloudtrail-for-cloudwatch-policy --policy-document file://path/to/role-policy-document.json
aws cloudtrail update-trail --name TRAIL_NAME --cloud-watch-logs-log-group-arn LOG_GROUP_ARN --cloud-watch-logs-role-arn ROLE_ARN
哪里cloudtrail_assume_role.json看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
role-policy-document.json看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents2",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:MANAGEMENT_ACCOUNT_ID_CloudTrail_REGION*",
"arn:aws:logs:REGION:SECURITY_ACCOUNT_ID:log-group:LOG_GROUP:log-stream:ORGANISATION_ID_*"
]
}
]
}