I need to send log data from Amazon CloudWatch Logs to another AWS account’s Amazon Kinesis data stream in a different AWS Region.
To deliver CloudWatch log events to Kinesis Data Streams in different AWS accounts and AWS Regions, set up cross-account log data sharing with subscriptions and specify the AWS Region.
In this example use case, CloudWatch Logs in the AWS Region us-east-1 are delivered to another AWS user's Kinesis data stream in us-west-2.
1. Create a destination data stream in Kinesis in the data recipient account with an AWS Identity and Access Management (IAM) role and trust policy.
Be sure to specify the --region when you use the create-stream command to create the data stream. For example, this command creates the data stream YourStreamName in the AWS Region us-west-2:
>aws kinesis create-stream --stream-name "YourStreamName" --shard-count 1 --region us-west-2
Be sure to specify the --region when you use the describe-stream command to check the StreamDescription.StreamStatus property. For example, this command checks the stream YourStreamName in the AWS Region us-west-2:
>aws kinesis describe-stream --stream-name "YourStreamName" --region us-west-2
Be sure to specify the --region for the --role-arn when you use the put-destination command to create the CloudWatch Logs destination. For example, this command creates the log destination in the recipient account (222222222222):
>aws logs put-destination \
--destination-name "testDestination" \
--target-arn "arn:aws:kinesis:us-west-2:222222222222:stream/YourStreamName" \
--role-arn "arn:aws:iam::222222222222:role/YourIAMRoleName" --region us-east-1
2. Create a subscription filter in your account.
3. (Optional) Check that your data stream is working correctly by validating the flow of log events.
Roles Terms and Concepts (IAM)
Did this page help you? Yes | No
Back to the AWS Support Knowledge Center
Need help? Visit the AWS Support Center.
Published: 2018-10-26
