Cloud Infra Architecture (AWS)/AWS Build

AWS Log 설정 (ELB Access Log, VPC Flow Log)

seongduck 2024. 3. 21. 13:09

1. NLB Access Log를 S3에 수집하려면 S3 버킷의 권한을 다음과 같이 추가한다.
버킷의 권한을 먼저 변경해야 한다.

1. 저장할 S3 버킷 선택
2. "권한" "버킷 정책" 선택

"""
{
    "Version": "2012-10-17",
    "Id": "AWSLogDeliveryWrite",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
                },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition": {
                "StringEquals": {
                "aws:SourceAccount": ["0123456789"]
                },
                "ArnLike": {
                "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": ["0123456789"]
                },
                "ArnLike": {
                    "aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
                }
            }
        }
    ]
}
"""

 
이후 NLB에서 설정하자

1. NLB 선택 후 편집
2. "모니터링"의 "액세스 로그"에서 방금 설정한 S3 Bucket 클릭

 
 
2. ALB Access Log를 S3에 수집하려면 S3 버킷의 권한을 다음과 같이 추가한다.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::600734575887:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/AWSLogs/aws-account-id/*"
    }
  ]
}

 
 
3.  VPC Flow Log

1. VPC 선택
2. VPC Flow Log 생성 클릭
3. 입력 후 완료