Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CloudWatch resource access policy error while creating Amazon Elasticsearch Service via Cloud Formation

Tags:

amazon-web-services

elasticsearch

amazon-iam

amazon-cloudformation

aws-cloudformation-custom-resource

I am trying to create an elastic search domain with enabled LogPublishingOptions. While enabling LogPublishingOptions ES says it does not sufficient permissions to create a LogStream on Cloudwatch.

I tried creating a policy with a role and attaching the policy to the LogGroup which is referred by ES but it ain't working. Following is my elastic search cloud formation template,

AWSTemplateFormatVersion: 2010-09-09

Resources:
  MYLOGGROUP:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: index_slow

  MYESROLE:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: es.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonESFullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
      RoleName: !Join
        - '-'
        - - es
          - !Ref 'AWS::Region'

  PolicyDocESIndexSlow :
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 
             - logs:PutLogEvents
             - logs:CreateLogStream
            Resource: 'arn:aws:logs:*'
      PolicyName: !Ref MYLOGGROUP
      Roles:
        - !Ref MYESROLE

  MYESDOMAIN:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: 'es-domain'
      ElasticsearchVersion: '7.4'
      ElasticsearchClusterConfig:
        DedicatedMasterCount: 3
        DedicatedMasterEnabled: True
        DedicatedMasterType: 'r5.large.elasticsearch'
        InstanceCount: '2'
        InstanceType: 'r5.large.elasticsearch'
      EBSOptions:
        EBSEnabled: True
        VolumeSize: 10
        VolumeType: 'gp2'
      AccessPolicies:
        Version: 2012-10-17
        Statement:
          - Effect: Deny
            Principal:
              AWS: '*'
            Action: 'es:*'
            Resource: '*'
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: True
      LogPublishingOptions:
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: !GetAtt
            - MYLOGGROUP
            - Arn
          Enabled: True
      VPCOptions:
        SubnetIds:
          - !Ref MYSUBNET
        SecurityGroupIds:
          - !Ref MYSECURITYGROUP
  MYVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
  MYSUBNET:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MYVPC
      CidrBlock: 10.0.0.0/16
  MYSECURITYGROUP:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: security group for elastic search domain
      VpcId: !Ref MYVPC
      GroupName: 'SG for ES'
      SecurityGroupIngress:
        - FromPort: '443'
          IpProtocol: tcp
          ToPort: '443'
          CidrIp: 0.0.0.0/0

Upon execution, it creates all resources except MYESDOMAIN. It says

The Resource Access Policy specified for the CloudWatch Logs log group index_slow does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy. (Service: AWSElasticsearch; Status Code: 400; Error Code: ValidationException)

Any idea what's missing here?

like image 315
Milind Dalvi Avatar asked Jul 15 '20 09:07

Milind Dalvi

People also ask

Which error describes when AWS CloudFormation tries to create a resource that depends on another resource that hasn't been created yet?

Dependency error In some cases, you must explicitly declare dependencies so that AWS CloudFormation can create or delete resources in the correct order.

What are the three types of errors that are reported by the CloudFormation resource types in case of a failure?

Types of CloudFormation Errors For example, a missing comma or brace in JSON, an incorrect indentation in YAML, and so on. Such a template is not even deployed as the CloudFormation Console or the CLI will fail upon detecting the error.

What happens when CloudFormation stack creation fails?

If stack creation fails, go to the CloudFormation Resources list in the AWS Management Console to find the log group. Note that if stack creation fails before any instances are launched, a log group might not be created. By default, AWS deletes CloudWatch log groups if stack creation fails.

2 Answers

Update 2021

There is a CloudFormation resource called AWS::Logs::ResourcePolicy which allows defining policies for CloudWatch Logs in CF. The main issue I found is that it only accepts a real string as the value. Trying to assemble a string using Ref, Join, etc kept being rejected. If anyone can make that work that would be fab.

Writing it in YAML is easier as JSON requires escaping all the " characters.

OSLogGroupPolicy:
    Type: AWS::Logs::ResourcePolicy
    Properties:
      PolicyName: AllowES
      PolicyDocument: '{"Version": "2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service": ["es.amazonaws.com"]},"Action":["logs:PutLogEvents","logs:CreateLogStream"],"Resource":"*"}]}'
like image 173
Tobin Avatar answered Oct 19 '22 19:10

Tobin

I believe there is some confusion here about what policies should be updated/set to enable ES writing to a log group.

I think you should apply the PolicyDocESIndexSlow policy to CloudWatch Logs.

And this can't be done in CloudFormation from what I remember. You have to use put-resource-policy, corresponding API call, or console as shown in:

  • Viewing Amazon Elasticsearch Service Slow Logs
like image 3
Marcin Avatar answered Oct 19 '22 17:10

Marcin
Sign in to Comment

Related questions

AWS CodePipeline, CodeDeploy, SAM and Lambda: how to (inter)connect those?
Aurora PostgreSQL engine: no space left on device
How to set AWS Appsync request timeout limit || AWSAppSync Client not giving callback
AWS Lambda: async C# handler
With AWS SageMaker, is it possible to deploy a pre-trained model using the sagemaker SDK?
Lambda authorizer response using async/await in Node.js
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
How to run Tabler in production
What does 'Box-Usage' mean in AWS? [closed]
AWS Lambda vs EC2: Which one to choose
How to use an S3 uri?
Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster
Enable object logging on s3 bucket via cloudformation
Search through values of all AWS Lambda function's environment variables in AWS account
Capistorano deploy SSHKit::Runner::ExecuteError : rake exit status: 1
aws eks create cluster error - us-east-1e does not currently have sufficient capacity to support the cluster [closed]
Need to make an identical copy of AWS IAM role (including policies and trust relationship it has)
Encrypted bucket notifications from S3 to SQS
Create multiple rules in AWS security Group

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!