0

I have two accounts A and B. I have a service in Account B that writes its logs to CloudWatch. In account A I have a AWS lambda that periodically needs to run a CloudWatch insights query to retrieve logs that match a pattern.

I can't seem to find a way to setup permissions for this or how to make a cross account cloud watch query from Lambda in Account A to CloudWatch logs in Account B. Is this even possible? If so, how?

nebula186
  • 119
  • 2
  • 14
  • Does this answer your question? [AWS: Boto3: AssumeRole example which includes role usage](https://stackoverflow.com/questions/44171849/aws-boto3-assumerole-example-which-includes-role-usage) -- you can assume roles in other accounts. – sytech Dec 14 '22 at 19:22

1 Answers1

0

You can do it, using cross-account access IAM role, assuming the role from the B account.

A good detailed explanation with examples can be found here.

Essentially, you have to assume a role from account B which allows your Lambda function in account A to access certain resources in account B. In the trust policy of the IAM role your AWS account A ID has to be set, so your Lambda can access resources based on what the account B policy allows.

ms12
  • 531
  • 4
  • 10
  • This might be the mistake I'm making. I was trying to use the role from A and give it permissions to the resources in B (like I did with S3) without relying on assuming a role in B. I'll try this out – nebula186 Dec 14 '22 at 20:11