Cloudwatchの指定のログをS3にエクスポートする

Export log data to Amazon S3 using the console - Amazon CloudWatch Logs

Cloudwatchで指定したロググループのログの出力先となるS3のバケットをTerraformで作成する。

前提

terraformバージョン: 0.12.30 AWSアカウントパーミッション: AdministratorAccess(SSO)

Terraform

# CloudWatchのロググループから調査用にS3に出力する先 resource "aws_s3_bucket" "example_log_analysis" { bucket = "example-log-analysis" force_destroy = true server_side_encryption_configuration { rule { bucket_key_enabled = false apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logs.ap-northeast-1.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::example-log-analysis", # example-log-analysis をバケット名に変更 "Condition": { "StringEquals": { "aws:SourceAccount": "xxxxxx" # 自身のAccount IDに変更 }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:ap-northeast-1:xxxxxx:log-group:*" # 自身のAccount IDに変更 } } }, { "Effect": "Allow", "Principal": { "Service": "logs.ap-northeast-1.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::example-log-analysis/*", # example-log-analysis をバケット名に変更 "Condition": { "StringEquals": { "aws:SourceAccount": "771306112264", "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:ap-northeast-1:xxxxxx:log-group:*" # 自身のAccount IDに変更 } } } ] } POLICY }