將 CloudWatch 的 logs 輸出到 S3

# 將 CloudWatch 的 logs 輸出到 S3 [TOC] ###### tags: `aws` `cloudwatch` `s3` --- ## 結論先行建立 S3 bucket 甚至是 IAM 並非此 note 重點，故省略不談；以下主要講述如何設定 S3 bucket 的 bucket policy。 1. 進入 S3 bucket 的 **Permissions** 下的 **Bucket policy**，點擊 **Edit** 開啟 **Bucket Policy Editor**；假設原來的 bucket pocicy 如下： ```json { "Version": "2012-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "3", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1AGQ5RVBJZULG" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::存儲桶名稱/*" } ] } ``` :::info **存儲桶名稱**為 **bucket name**。 ::: 2. 在 `"Statement"` 鍵的陣列裡加入： ```json { "Action": "s3:GetBucketAcl", "Effect": "Allow", "Resource": "arn:aws:s3:::存儲桶名稱", "Principal": { "Service": "logs.區域.amazonaws.com" } }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": "arn:aws:s3:::存儲桶名稱/隨機生成的字符串/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } }, "Principal": { "Service": "logs.區域.amazonaws.com" } } ``` :::info - **隨機生成的字符串**為自定義的目錄名稱，稍後導出 logs 時會用到。 - **區域**請參考 [**Regions and Zones**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html)；注意，須與產生 logs 的服務的區域一致。 ::: 最後的完整內容： ```json { "Version": "2012-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "3", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1AGQ5RVBJZULG" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::存儲桶名稱/*" }, { "Action": "s3:GetBucketAcl", "Effect": "Allow", "Resource": "arn:aws:s3:::存儲桶名稱", "Principal": { "Service": "logs.ap-southeast-1.amazonaws.com" } }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": "arn:aws:s3:::存儲桶名稱/隨機生成的字符串/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } }, "Principal": { "Service": "logs.ap-southeast-1.amazonaws.com" } } ] } ``` 3. 開啟 **CloudWatch** 的 **Log groups**，選擇(點擊 checkbox)欲輸出的 log group； ![](https://i.imgur.com/M1m3osM.png) 點擊 **Actions** 選單再點擊 **Export data to Amazon S3**。 ![](https://i.imgur.com/uyT1kjX.png) 4. 選擇日期區間、存儲桶名稱，在 **S3 bucket prefix** 填入步驟 2 自定義的隨機生成字符串。 ![](https://i.imgur.com/atSCikV.png) 點擊 **Export** 後即可將數據導出到 Amazon S3。 ## 參考資料來源 - [Exporting log data to Amazon S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html) --- 轉載時請註明出處，謝謝。