2

I’ve tested a variation of wide policy access , and got to the same point – the log groups is created, but the log stream isn’t.

Followed https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-configuring-cloudwatch-logs.html and the expected result is getting those messages in CloudWatch, but nothing's coming in.

The goal is to have audit and general MQ logs in CloudWatch. Has anyone managed to stream MQ logs in CloudWatch? How could I further debug this?

mattmin
  • 33
  • 7
  • How did you managed to get the Logs in CW? – asur Sep 26 '19 at 08:33
  • I used terraform (check the comment below). You can also use the aws cli to set IAM policy `aws --region us-east-1 logs put-resource-policy --policy-name AmazonMQ-logs \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'` I remember restarting the MQ after enabling the logs from AWS console helped. – mattmin Oct 01 '19 at 10:01

3 Answers3

2

I managed to create the Amazon MQ Broker with logging enabled, and publishing log messaged to Cloudwatch using terraform's provider 1.43.2 -- my project has a lock-down on an older tf provider version, so if you're using a newer one you should be fine

https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md#1430-november-07-2018

This was the policy that I didn't get right the first time, and needed for MQ to post to Cloudwatch:

data "aws_iam_policy_document" "mq-log-publishing-policy" {
  statement {
    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = ["arn:aws:logs:*:*:log-group:/aws/amazonmq/*"]

    principals {
      identifiers = ["mq.amazonaws.com"]
      type        = "Service"
    }
  }
}

resource "aws_cloudwatch_log_resource_policy" "mq-log-publishing-policy" {
  policy_document = "${data.aws_iam_policy_document.mq-log-publishing-policy.json}"
  policy_name     = "mq-log-publishing-policy"
}

Make sure this policy has been correctly applied, otherwise nothing will come up on Cloudwatch. I did so using aws cli:

 aws --profile my-testing-profile-name --region my-profile-region logs describe-resource-policies

and you should see the policy in the output.

mattmin
  • 33
  • 7
2

Or if you're using aws cli you can try 

aws --region [your-region] logs put-resource-policy --policy-name AmazonMQ-logs \
--policy-document '{
"Statement": [
    {
        "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow",
        "Principal": {
            "Service": "mq.amazonaws.com"
        },
        "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
    }
],
"Version": "2012-10-17"
}'
DoT
  • 21
  • 3
1

Install the AWS CLI agent for Windows and configure your credentials https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html

Create a JSON file in "C:\Users\YOUR-USER\" containing your policy. For example: C:\Users\YOUR-USER\policy.json. You can simply copy this one here and paste into your .json file:

{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "mq.amazonaws.com"},"Action":["logs:CreateLogStream","logs:PutLogEvents"],"Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"}]}

Open your CMD and simply type:

aws --region eu-central-1 logs put-resource-policy --policy-name amazonmq_to_cloudwatch --policy-document file://policy.json

Well Done ! This will create a AWS RESOURCE POLICY, which sometimes is not possible to create in the IAM console.

djbrunoatimix
  • 11
  • 1