AWS 流程日誌發佈至CloudWatch with AWS CLI 小記

 AWS 流程日誌發佈至CloudWatch with AWS CLI 小記

OS: container with openSUSE Leap 15.2

• https://hub.docker.com/r/sakana/ansible_opensuse152

上次流程日誌啟用是使用 Console 的方式

• http://sakananote2.blogspot.com/2020/10/aws-cloudwatch-with-console.html

今天要來寫 透過 AWS CLI 啟用流程日誌

• 建立方式使用 AWS CLI 方式

• 發佈至 CloudWatch

==== 建立IAM Role ====

參考官方文件

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html 

建立檔案  Trust-Policy-VPC-flow-logs.json

內容如下

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "",

      "Effect": "Allow",

      "Principal": {

        "Service": "vpc-flow-logs.amazonaws.com"

      },

      "Action": "sts:AssumeRole"

    }

  ]

}

使用 AWS CLI 建立  IAM Role

# aws  iam  create-role  --role-name  VPC-Flow-Log  --assume-role-policy-document  file://Trust-Policy-VPC-flow-logs.json

• file:// 後面要注意是否有對應到 Trust-Policy-VPC-flow-logs.json 所在路徑

==== 建立IAM Policy ===== 

參考官方文件

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html

建立檔案 VPC-Flow-Log-Policy.json

內容如下

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "logs:CreateLogGroup",

        "logs:CreateLogStream",

        "logs:PutLogEvents",

        "logs:DescribeLogGroups",

        "logs:DescribeLogStreams"

      ],

      "Effect": "Allow",

      "Resource": "*"

    }

  ]

}   

使用 AWS CLI 建立  IAM Policy

# aws  iam  create-policy  --policy-name  VPC-Flow-Log-Policy  --policy-document  file://VPC-Flow-Log-Policy.json

==== 關聯 Policy 到 Role上 ====

• 參考官方文件 https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html

# aws  iam  attach-role-policy  --policy-arn  arn:aws:iam::111111111111:policy/VPC-Flow-Log-Policy  --role-name   VPC-Flow-Log

• policy arn 部分請換成自己的 ID

• Role-name 對應剛剛建立的 Role

==== 切換到VPC所在的region ====

參考官方文件

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/set.html

可以用指令先觀察目前所設定的 Region

# aws  configure  list

或是

# aws  configure  get  region

設定 Region

# aws  configure  set  region  us-east-2

• 也可以去觀察 ~/.aws/config

==== 建立 Log Group ====

建立 Log Group

• 參考官方文件 https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/create-log-group.html

# aws  logs  create-log-group  --log-group-name  flow-log-groups

==== 建立 VPC Flow log ====

建立VPC Flow log

• 參考官方文件 https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-flow-logs.html

# aws  ec2  create-flow-logs  --resource-type  VPC  --resource-ids  vpc-c11111ac  --traffic-type  ALL  --log-destination-type  cloud-watch-logs   --log-group-name  flow-log-groups  --deliver-logs-permission-arn  arn:aws:iam::111111111111:role/VPC-Flow-Log

• resource-ids 請換成自己的ID

• deliver-logs-permission-arn 請換成自己的 ARN

這樣就建立完成

驗證的方式可以參考上一篇的 blog

• http://sakananote2.blogspot.com/2020/10/aws-cloudwatch-with-console.html

這樣算是又向 AWS 前進一步

~ enjoy it

Reference:

• http://sakananote2.blogspot.com/2020/10/aws-cloudwatch-with-console.html

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/set.html

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/create-log-group.html