AWS 流程日誌發佈至CloudWatch with AWS CLI 小記
OS: container with openSUSE Leap 15.2
上次流程日誌啟用是使用 Console 的方式
今天要來寫 透過 AWS CLI 啟用流程日誌
-
建立方式使用 AWS CLI 方式
-
發佈至 CloudWatch
==== 建立IAM Role ====
參考官方文件
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html
建立檔案 Trust-Policy-VPC-flow-logs.json
內容如下
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “vpc-flow-logs.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}
使用 AWS CLI 建立 IAM Role
# aws iam create-role –role-name VPC-Flow-Log –assume-role-policy-document file://Trust-Policy-VPC-flow-logs.json
-
file:// 後面要注意是否有對應到 Trust-Policy-VPC-flow-logs.json 所在路徑
==== 建立IAM Policy =====
參考官方文件
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html
建立檔案 VPC-Flow-Log-Policy.json
內容如下
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogGroups”,
“logs:DescribeLogStreams”
],
“Effect”: “Allow”,
“Resource”: “*”
}
]
}
使用 AWS CLI 建立 IAM Policy
# aws iam create-policy –policy-name VPC-Flow-Log-Policy –policy-document file://VPC-Flow-Log-Policy.json
==== 關聯 Policy 到 Role上 ====
-
參考官方文件 https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html
# aws iam attach-role-policy –policy-arn arn:aws:iam::111111111111:policy/VPC-Flow-Log-Policy –role-name VPC-Flow-Log
-
policy arn 部分請換成自己的 ID
-
Role-name 對應剛剛建立的 Role
==== 切換到VPC所在的region ====
參考官方文件
可以用指令先觀察目前所設定的 Region
# aws configure list
或是
# aws configure get region
設定 Region
# aws configure set region us-east-2
-
也可以去觀察 ~/.aws/config
==== 建立 Log Group ====
建立 Log Group
-
參考官方文件 https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/create-log-group.html
# aws logs create-log-group –log-group-name flow-log-groups
==== 建立 VPC Flow log ====
建立VPC Flow log
# aws ec2 create-flow-logs –resource-type VPC –resource-ids vpc-c11111ac –traffic-type ALL –log-destination-type cloud-watch-logs –log-group-name flow-log-groups –deliver-logs-permission-arn arn:aws:iam::111111111111:role/VPC-Flow-Log
-
resource-ids 請換成自己的ID
-
deliver-logs-permission-arn 請換成自己的 ARN
這樣就建立完成
驗證的方式可以參考上一篇的 blog
這樣算是又向 AWS 前進一步
~ enjoy it
Reference:
-
http://sakananote2.blogspot.com/2020/10/aws-cloudwatch-with-console.html
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/set.html
-
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/create-log-group.html