Prerequisites AWS ServiceLogs
Prerequisites
- Step-by-Step Sequence for a Successful Implementation of AWS Servicelogs
AWS Account
Users must have an active AWS account with AWS services configured to forward logs to an S3 buckets or CloudWatch Log Groups or EventBridge Rules.
IAM Role
An IAM Role is created specifically for Rakuten Sixthsense AWS configurations within the respective AWS account. The ARN of this IAM Role is included in the policy attached to the IAM User and is also passed to the Lambda function.
Create and Attach Policy to IAM Role
Create a policy refer: permissions required to fetch and forward logs from log sources (S3 Buckets, CloudWatch Log Groups, EventBridge Rules), and attach it to the IAM Role created for Rakuten Sixthsense AWS Configurations within the respective AWS account.
IAM User
An IAM User is created specifically for Rakuten Sixthsense AWS configurations within the respective AWS account. This IAM User must have valid credentials (Access Key ID and Secret Access Key) to enable Rakuten Sixthsense authentication.
Create and Attach Policy to IAM User
Create a policy refer: permissions required to create Lambda functions and list log paths/files from log sources (S3 Buckets, CloudWatch Log Groups, EventBridge Rules), and attach it to the IAM User created for Rakuten Sixthsense AWS Configurations within the respective AWS account.
- Note: Convention of role ARN
arn:[partition]:iam::[account-id]:role/[role-name]- partition - For standard AWS regions, it's
aws. For GovCloud or china, it might be different (e.g.,aws-us-gov). - account-id — The 12-digit AWS account number where the role exists.
- role-name — The name of the IAM role you created in that account for Rakuten Sixthsense AWS Configuration.
- partition - For standard AWS regions, it's
List of permissions used in above policy configurations
Below is a list of AWS IAM policy permissions required to install AWS ServiceLogs. These permissions allow the creation of AWS Lambda functions and the attachment of triggers based on user configurations.
Log Forwarding types: S3 Bucket(S3), Cloudwatch LogGroup(CWL), EventBridge Rules(EB).
| Permission | Description | Configured in Policy attached to | Required for which log forwarding type |
|---|---|---|---|
| iam:SimulatePrincipalPolicy | Simulates policy to validate permissions during development or auditing. (Checking if all the necessary permissions are present) | IAM User | S3 or CWL or EB |
| sts:GetCallerIdentity | Verifies the caller's AWS account and identity for secure operations. | IAM User | S3 or CWL or EB |
| ec2:DescribeRegions | Lists AWS regions to validate or select regions for Lambda deployment. | IAM User | S3 or CWL or EB |
| s3:ListAllMyBuckets | Lists buckets to allow users to select one as a Lambda trigger source. | IAM User | S3 |
| s3:GetBucketLocation | Checks a bucket’s region to ensure compatibility with Lambda. | IAM User | S3 |
| s3:ListBucket | Inspects bucket contents to validate prefixes for triggers. | IAM User | S3 |
| s3:GetBucketNotification | Retrieves bucket notification settings to avoid trigger conflicts. | IAM User | S3 |
| s3:PutBucketNotification | Configures bucket notifications to trigger Lambda functions. | IAM User | S3 |
| lambda:CreateFunction | Creates a new Lambda function based on user input. | IAM User | S3 or CWL or EB |
| lambda:GetFunction | Retrieves function details to verify existence or configuration. | IAM User | S3 or CWL or EB |
| lambda:DeleteFunction | Deletes a Lambda function if needed. | IAM User | S3 or CWL or EB |
| lambda:UpdateFunctionConfiguration | Updates function settings (e.g., timeout, memory). | IAM User | S3 or CWL or EB |
| lambda:AddPermission | Grants permissions for triggers to invoke the Lambda function. | IAM User | S3 or CWL or EB |
| lambda:RemovePermission | Removes trigger permissions when updating or deleting triggers. | IAM User | S3 or CWL or EB |
| logs:DescribeLogGroups | Lists log groups to manage logging for Lambda functions. | IAM User | CWL |
| logs:PutSubscriptionFilter | Configures log subscriptions for monitoring or analytics. | IAM User | CWL |
| logs:DeleteSubscriptionFilter | Removes log subscriptions when no longer needed. | IAM User | CWL |
| events:PutTargets | Adds Lambda functions as targets for EventBridge rules. | IAM User | EB |
| events:RemoveTargets | Removes Lambda targets from EventBridge rules. | IAM User | EB |
| events:ListRules | Lists EventBridge rules to validate or manage triggers. | IAM User, IAM Role | EB |
| s3:GetObject | Allows the role to read (download) objects from an S3 bucket | IAM Role | S3 |
| events:DescribeRule | Allows role getting detailed information about a specific EventBridge rule. | IAM Role | EB |
| events:ListTargetsByRule | Allows listing all the targets (actions triggered) associated with a specific EventBridge rule. | IAM Role | EB |
| logs:CreateLogGroup | Allows creating new CloudWatch Log Groups. If log groups need to be created for logging/debugging purpose of the log forwarding (Optional) | IAM Role | S3 or CWL or EB (Optional) |
| logs:CreateLogStream | Allows creating a log stream within a CloudWatch Log Group. If log groups need to be created for logging/debugging purpose of the log forwarding (Optional) | IAM Role | S3 or CWL or EB (Optional) |
| logs:PutLogEvents | Allows writing log events (actual log messages) into a log stream. If log groups need to be created for logging/debugging purpose of the log forwarding (Optional) | IAM Role | S3 or CWL or EB (Optional) |
Please proceed for configuration of AWS ServiceLogs: