I was following this document to export the logs to S3 https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html#ExportCrossAccount-CLI
I am doing it for the cross accounts,
Here is S3 bucket permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-west-2.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cloudwatch-exportlogs1",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "477912222803"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-west-2:477912222803:log-group:/aws/lambda/applicationLambda:*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-west-2.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cloudwatch-exportlogs1/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "477912222803"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-west-2:477912222803:log-group:/aws/lambda/applicationLambda:*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::477912222803:role/CloudWatchLogsExportToS3"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cloudwatch-exportlogs1/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Source IAM role and Policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-west-2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::DESTINATIONID:role/<rolename>"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateExportTask",
"logs:DescribeExportTasks",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CancelExportTask"
],
"Resource": "*"
}
]
}
Destination IAM role and Policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Source ID>:role/<role_name>"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-west-2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateExportTask",
"logs:CancelExportTask",
"logs:DescribeExportTasks",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::cloudwatch-exportlogs1",
"arn:aws:s3:::cloudwatch-exportlogs1/*"
]
}
]
}
I am getting this error “An error occurred (InvalidParameterException) when calling the CreateExportTask operation: Please ensure that the export role and the destination bucket have all the required permissions as per the documentation.”
AM I using the correct permissions?
aws logs create-export-task --task-name "my-log-group-09-23-2024" --log-group-name "/aws/lambda/applicationLambda" --from 1727046409000 --to 1727129846000 --destination "cloudwatch-exportlogs1" --destination-prefix "export-task-output" --region us-west-2
New contributor
Murali is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2