0

AWS Documentation leaves so much to be desired. I am sure it's 100% accurate, just cryptic to me. I just want to see why my global accelerator is not routing to my internal web server. There are three (!) ways to monitor this, and I'm trying to turn on the first one listed (which must be the most straightforward, right?)

Here is what I'm following: https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html#monitoring-global-accelerator.flow-logs-publishing-S3

And it boils down to 3 steps:

  1. Create an S3 bucket
  2. Set IAM roles
  3. Run CLI command to set flow-logs-enabled

Ok, I did 1 and 3. But 2? Three separate examples of IAM JSON files which should be applied to... ? Here is where I lose it.

What do I need to create in IAM?

Step 2a starts "An IAM principal, such as an IAM role or user, must have sufficient permissions to publish flow logs..."

What principal or user? Is this saying "we recommend you create a principal to do this"? I am happy to but the ambiguity makes my head ache.

Step 2b talks about "the user creating the flow log" Who is this? Who decides what user creates the logs? Is this the same principal or user as above?

I just want it to work. This is for one AWS account and I'm just trying to figure out why this accelerator is not working, unlike my others. That is the real problem. This log is a side-effect that I would prefer hot to have to do if AWS just could show accelerator activity by default.

Daniel Williams
  • 8,912
  • 15
  • 68
  • 107

1 Answers1

1

The principal in step 2 is, referring to the paragraph To enable flow logs in AWS Global Accelerator:

the AWS user who is enabling the flow logs

So, in your case, it is the user that you will use to run the CLI command in step 3.

Filippo Testini
  • 1,363
  • 1
  • 16
  • Ah, and the permissions "logs" means Cloudwatch logs? – Daniel Williams Sep 01 '23 at 15:43
  • if you're publishing the logs on S3, you're not pushing them on CloudWatch: they will be plain text logs in the S3 bucket that you are creating in step 1 – Filippo Testini Sep 01 '23 at 15:45
  • And do you reccommend I add a new user for this? I feel there are too many users already, and those I have already do other things and I don't want to break their permissions my mucking with the JSON permissions. What is the right way to do this? – Daniel Williams Sep 01 '23 at 15:46
  • No, you can use a user that you've already set up with the CLI. If you wish to use an admin user, you likely won't need to add any additional policies to it. – Filippo Testini Sep 01 '23 at 15:47
  • Ok I used a good user and was able to update the accelerator with that S3 bucket. And I see the AWS logs bucket now. But nothing is in it. When should I expect to see data? I still have no idea if what I see will even be helpful. – Daniel Williams Sep 01 '23 at 15:54
  • And will this show up in the "Accelerator Event History" at the bottom of the main details screen? Or is that something else? – Daniel Williams Sep 01 '23 at 15:57
  • These are just logs stored in an S3 bucket, in the documented format (see paragraph "Flow log record syntax") that you can download, read and inspect. – Filippo Testini Sep 01 '23 at 16:19