Zac*_*ach 4 lambda logging amazon-web-services amazon-cloudwatchlogs
我目前对我的 Lambda 函数有一个如下所示的策略:
{"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>:*",
"Effect": "Allow"
}
]}
我注意到 CloudWatch 日志中缺少我的一些打印日志,当我将其带入策略模拟器并尝试对以下资源运行 CloudWatch CreateLogStream 和 PutLogEvent 操作时,
arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>,和arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER:log-group:/<MY>/<LOGGING>/<DIR>:log-stream:<MY>/<LOG>/<STREAM>分别,我收到权限错误: Denied Implicitly denied (no matching statements).
我注意到,当我将Resource策略中的更改为不包含尾随:*(因此它看起来像这样:"Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>",CreateLogStream 操作工作正常。但是,由于权限,PutLogEvents 操作仍然失败。
如果有人能指出我为什么这个政策在模拟器中不起作用的正确方向,我将不胜感激,因为我完全不知所措。
应尽可能减少在资源中使用通配符。
我建议使用以下策略,尝试授予最低限度的必要访问权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:DescribeLogStreams",
"Resource": "arn:aws:logs:us-east-1:<ACCOUNT-ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>",
"arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>:log-stream:*",
]
}
]
}
| 归档时间: |
|
| 查看次数: |
2920 次 |
| 最近记录: |