Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » Amazon CloudWatch Resource Types Reference » AWS::Logs::Destination

AWS::Logs::Destination

The AWS::Logs::Destination resource creates an Amazon CloudWatch Logs (CloudWatch Logs) destination, which enables you to specify a physical resource (such as an Kinesis stream) that subscribes to CloudWatch Logs log events from another AWS account. For more information, see Cross-Account Log Data Sharing with Subscriptions in the Amazon CloudWatch User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::Logs::Destination",
  "Properties" : {
    "DestinationName" : String,
    "DestinationPolicy" : String,
    "RoleArn" : String,
    "TargetArn" : String
  }
}

YAML

Type: AWS::Logs::Destination
Properties: 
  DestinationName: String
  DestinationPolicy: String
  RoleArn: String
  TargetArn: String

Properties

DestinationName

The name of the CloudWatch Logs destination that you will reference in the DestinationPolicy property.

Required: Yes

Type: String

Update requires: Replacement

DestinationPolicy

An AWS Identity and Access Management (IAM) policy that specifies who can write to your destination.

Required: Yes

Type: String

Update requires: No interruption

RoleArn

The Amazon Resource Name (ARN) of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource (TargetArn).

Required: Yes

Type: String

Update requires: No interruption

TargetArn

The ARN of the AWS resource that receives log events. Currently, you can specify only an Kinesis stream.

Required: Yes

Type: String

Update requires: No interruption

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name, such as TestDestination.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

Arn

The ARN of the CloudWatch Logs destination, such as arn:aws:logs:us-east-2:123456789012:destination:MyDestination.

For more information about using Fn::GetAtt, see Fn::GetAtt.

Example

In the following example, the target stream (TestStream) can receive log events from the logger IAM user that is in the 234567890123 AWS account. The user can call only the PutSubscriptionFilter action against the TestDestination destination.

JSON

"DestinationWithName" : {
  "Type" : "AWS::Logs::Destination",
  "Properties" : {
    "DestinationName": "TestDestination",
    "RoleArn": "arn:aws:iam::123456789012:role/LogKinesisRole",
    "TargetArn": "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream",
    "DestinationPolicy": "{\"Version\" : \"2012-10-17\",\"Statement\" : [{\"Effect\" : \"Allow\", \"Principal\" : {\"AWS\" : \"arn:aws:iam::234567890123:user/logger\"},
\"Action\" : \"logs:PutSubscriptionFilter\", \"Resource\" : \"arn:aws:logs:us-east-1:123456789012:destination:TestDestination\"}]}"
  }
}

YAML

DestinationWithName: 
  Type: AWS::Logs::Destination
  Properties: 
    DestinationName: "TestDestination"
    RoleArn: "arn:aws:iam::123456789012:role/LogKinesisRole"
    TargetArn: "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream"
    DestinationPolicy: >
      {"Version" : "2012-10-17","Statement" : [{"Effect" : "Allow", "Principal" : {"AWS" : "arn:aws:iam::234567890123:user/logger"},"Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:us-east-1:123456789012:destination:TestDestination"}]}