为了更好的查看并且长期保存Cloudwatch日志,我们通常会将日志导出到s3中进行持久化,然后使用glue爬取通过athena进行分析查看
在此可能会碰见的导出报错
GetBucketAcl call on the given bucket failed. Please check if CloudWatch Logs has been granted permission to perform this operation.
PutObject call on the given bucket failed. Please check if CloudWatch Logs has been granted permission to perform this operation.
这种情况在s3的桶表没有进行权限的允许,默认隐示拒绝
只需要修改s3桶中的权限即可
以下是权限示例json
{
"Sid": "AllowCloudWatchLogsGetBucketAcl",
"Effect": "Allow",
"Principal": {
"Service": "logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::bucketname/*"
]
}