Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unable to get aws:PrincipalOrgID to work with creating subscription filter

Tags:

amazon-web-services

amazon-cloudwatch

amazon-cloudwatchlogs

I have an AWS account with Organizations enabled. I want to ensure that certain logs from my child accounts go to my Kinesis stream in a logging account. The idea is that in future if I create a new child account in Organizations, the logs should go to Kinesis.

For this, I have created a Kinesis log destination in my logging account using aws logs put-destination command. I added a destination policy to it. The policy I used was:

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "PutSubscriptionFilter",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["*"]
        },
        "Action": "logs:PutSubscriptionFilter",
        "Resource": "arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination",
        "Condition": {
            "StringEquals": {
                "aws:PrincipalOrgID": "o-abcde12345"
            }
        }
    }
}

The command I used to add the destination policy was:

aws logs put-destination-policy \
    --destination-name mytestLogDestination \
    --access-policy file://destination_policy.json

This added the destination policy successfully. I can confirm this by running the command: aws logs describe-destinations --destination-name-prefix mytestLogDestination. When I try to create a new subscription filter in one of my member accounts using the following command, it errors out. The command I tried is:

aws logs put-subscription-filter \
    --log-group-name "/aws/lambda/GetOrgIdFunction" \
    --filter-name randomsubscriptionfilter --filter-pattern "" \
    --destination-arn arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination

Error message is:

An error occurred (AccessDeniedException) when calling the PutSubscriptionFilter operation: User with accountId: 210987654321 is not authorized to perform: logs:PutSubscriptionFilter on resource: arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination

When I remove the condition and restrict the Principal to just my account (210987654321), it works fine. Is it possible to get this setup working or does AWS currently not support it?

like image 489
krishna_mee2004 Avatar asked Jul 26 '19 18:07

krishna_mee2004

People also ask

How do I create AWS subscription filter?

To create a subscription filter for Lambda Create the AWS Lambda function. Ensure that you have set up the Lambda execution role. For more information, see Step 2.2: Create an IAM Role (execution role) in the AWS Lambda Developer Guide.

2 Answers

As of August 02, 2019

After talking to AWS Support, this is CloudWatch Logs limitation as they don't yet support PrincipalOrgID. We would have to add each account separately when creating the log destination policy.

Marking this as an answer for now.

Update: January 06, 2021

According to a new AWS release, this is now supported. AWS documentation for reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html

like image 176
krishna_mee2004 Avatar answered Oct 02 '22 20:10

krishna_mee2004

How annoying, I wasted so much time testing different methods to try and get this running. Glad I eventually found your answer! I don't suppose they gave you any further information regarding dates when it might be supported? I'm assuming no conditions work with these policies as I tried PrincipleArn and I was having the same issue.

like image 32
Tom Avatar answered Oct 02 '22 20:10

Tom
Sign in to Comment

Related questions

AWS SageMaker Very large Dataset
Determine which SNS topics a SQS queue is subscribed to
How can I debug AWS Cloudfront signed URL access denied?
Error while playing Audio file for Alexa "AudioPlayer is currently an unsupported namespace"
Set AWS Cognito access token timeout manually
How to setup Cloudwatch log for a Lambda created in Cloudformation
Cross account access to AWS SQS with Server-side Encryption enabled
Terraform: How to make sure I run terraform on the expected AWS account
Attach more than one IAM inline policy from cloudformation to the same role
Fargate ThrottlingException Rate exceeded
AWS Cognito is sending SMS messages without my permission
How to change the Email FROM Name with NodeJs aws-sdk
AWS + Serverless - how to get at the secret key generated by cognito user pool
How do I set multiple --conf table parameters in AWS Glue?
What is the difference between ecs.amazonaws.com and ecs-tasks.amazonaws.com?
What is the best way to run python scripts in AWS?
AWS CLI check if a lambda function exists
Does an object lock in S3 helps prevent an object from being overwritten?
How to mock - reading file from s3
AWS SNS - How to get subscriber lambda triggered by publisher lambda output

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!