1. Answers
  2. Setting up AWS CloudWatch log archiving to Glacier

How do I set up AWS CloudWatch log archiving to Glacier?

In this guide, we will set up AWS CloudWatch log archiving to Amazon S3 Glacier using Pulumi. We will create a CloudWatch Log Group, an S3 bucket configured for Glacier storage, and set up the necessary permissions and lifecycle rules to archive the logs.

Key Points

  • CloudWatch Log Group: Stores the logs generated by your AWS resources.
  • S3 Bucket: Stores the archived logs in Glacier storage class.
  • Permissions: IAM roles and policies to allow CloudWatch to write logs to S3.
  • Lifecycle Rules: Automatically transition logs from S3 to Glacier.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an S3 bucket for storing logs
const logsBucket = new aws.s3.Bucket("logsBucket", {
    lifecycleRules: [{
        enabled: true,
        transitions: [{
            days: 30, // Transition objects to Glacier after 30 days
            storageClass: "GLACIER",
        }],
    }],
});

// Create a CloudWatch Log Group
const logGroup = new aws.cloudwatch.LogGroup("logGroup", {
    retentionInDays: 90, // Retain logs in CloudWatch for 90 days
});

// Create an IAM role for CloudWatch to access S3
const logRole = new aws.iam.Role("logRole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "logs.amazonaws.com" }),
});

// Attach a policy to the role to allow writing to the S3 bucket
const logPolicy = new aws.iam.RolePolicy("logPolicy", {
    role: logRole.id,
    policy: logsBucket.arn.apply(arn => JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "s3:PutObject",
                "s3:GetBucketAcl",
                "s3:ListBucket",
            ],
            Resource: [
                `${arn}`,
                `${arn}/*`,
            ],
        }],
    })),
});

// Create a CloudWatch Log Group subscription filter to send logs to S3
const logSubscription = new aws.cloudwatch.LogSubscriptionFilter("logSubscription", {
    logGroup: logGroup.name,
    destinationArn: logsBucket.arn,
    roleArn: logRole.arn,
    filterPattern: "", // Match all logs
});

export const bucketName = logsBucket.bucket;
export const logGroupName = logGroup.name;

Summary

In this guide, we created a CloudWatch Log Group to store logs and an S3 bucket with a lifecycle rule to transition objects to Glacier storage after 30 days. We also set up an IAM role and policy to allow CloudWatch to write logs to the S3 bucket and created a subscription filter to send logs from CloudWatch to S3. This setup ensures that logs are archived to Glacier for long-term storage, optimizing cost and storage efficiency.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up