我想使用 AWS CDK 在 Cloudwatch 中启用跨账户监控。从 Cloudformation 文档来看,似乎有两种资源 - Sink 和 Link,拥有这两个资源就足以实现这一点。但它就是不起作用,我不明白为什么。
const monitoringAccountPolicyDocument = new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["oam:*"],
resources: ["*"],
principals: sharingAccountsPrincipals, // array of AccountPrincipals with list of sharing accounts IDs
conditions: [
{
"ForAllValues:StringEquals": {
"oam:ResourceTypes": [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
],
},
},
],
}),
],
});
const monitoringAccountSink = new CfnSink(this, "MonitoringAccountSink", {
name: "MonitoringAccountSink",
policy: monitoringAccountPolicyDocument,
});
const sharingAccountsLinks = sharingAccounts.map((account) => {
const accountName = account.accountName;
const accountLink = new CfnLink(
this,
`SharingAccountLink-${accountName}`,
{
resourceTypes: ["AWS::Logs::LogGroup", "AWS::XRay::Trace, AWS::CloudWatch::Metric"],
sinkIdentifier: monitoringAccountSink.ref,
labelTemplate: "$AccountName",
}
);
});
所以我预计它将创建一个接收器和链接,并且所有 IAM 所需的角色都将在后台创建。
但是 Cloudformation 在尝试创建 Sink 时抛出错误:
Resource handler returned message: "Invalid request provided: AWS::Oam::Sink"
为什么会这样?我应该为监控帐户添加更多配置吗?是否遗漏了一些 IAM 设置? 我用来部署所有这些的角色具有管理员权限。
它对我有用。
const policy = {
Version: "2012-10-17",
Statement: [
{
Action: ["oam:CreateLink", "oam:UpdateLink"],
Effect: "Allow",
Resource: "*",
Principal: { AWS: [sharingAccountsPrincipals] },
Condition: {
"ForAllValues:StringEquals": { "oam:ResourceTypes": ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup"] },
},
},
],
};
const monitoringAccountSink = new oam.CfnSink(this, "sinkMainAccount", {
name: "monitoring-sink",
policy: policy,
});
您想在哪个地区创建这个?我不认为这在所有商业 AWS 区域都可用。