Attach VPC flow policy
Israphel opened this issue · comments
Is your request related to a problem? Please describe.
It is possible to send VPC logs to S3 via flow_log, but it needs extra permissions.
Describe the solution you'd like.
Similar to how this module has attach_elb_log_delivery_policy for ELB/ALB logs, it would be nice to do the same for VPC logs.
Describe alternatives you've considered.
I considered creating a new module just for attaching the policy, or adding the policy creation to my own vpc flow logs module.
Additional context
This is how the policy looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-logs-bucket/custom_folder/AWSLogs/$account_id/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "$account_id",
"s3:x-amz-acl": "bucket-owner-full-control"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:$account_id:*"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-logs-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "$account_id"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:$account_id:*"
}
}
}
]
}
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days