Introducing Customer-Facing DataPower Logging for API Connect SaaS on AWS
We are excited to announce customer-facing DataPower logging for Premium customers of API Connect SaaS on AWS. Enabling this feature will allow you to stream DataPower logs to a destination you own such as an AWS S3 Bucket or AWS CloudWatch Log Group.
Configuring an S3 Bucket as a Log Destination
To configure an S3 bucket as a log destination for your DataPower logs, complete the following steps.
1. Create an S3 Bucket in your AWS account. Note that we will use the {BUCKET_NAME} placeholder in this guide.
2. Create an IAM Policy that will be used to access your Bucket. Using the JSON policy editor, compose the following permissions definition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::{BUCKET_NAME}"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::{BUCKET_NAME}/*"
}
]
}
3. Create an IAM Role that will be used to access your Bucket. Select the AWS Account option for the Trusted Entity Type, then select Another AWS Account and enter 623947394061 for the Account ID.
4. After clicking Next, search for and select the name of the IAM Policy you created in Step 2. Then click Next to enter a Role Name and create the Role.
5. Copy down both the ARN of this IAM Role and the name of your S3 Bucket - these will be used to register your Service Instance and enable customer-facing DataPower logging.
6. Open a support ticket with API Connect to finalize enabling customer-facing logging, providing the ARN of the IAM Role, along with the region and the name of your S3 Bucket.
Configuring a CloudWatch Log Group as a Log Destination
To configure a CloudWatch Log Group as a destination for your DataPower logs, complete the following steps.
1. Create a CloudWatch Log Group in your AWS account. Note that we will use the {AWS_REGION}, {AWS_ACCOUNT_ID}, and {LOG_GROUP_NAME} placeholders in this guide.
2. Create an IAM Policy that will be used to access your Log Group. Using the JSON policy editor, compose the following permissions definition:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "logs:TagResource",
"Effect": "Allow",
"Resource": "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:{LOG_GROUP_NAME}"
},
{
"Action": [
"logs:AssociateKmsKey",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteDataProtectionPolicy",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DisassociateKmsKey",
"logs:FilterLogEvents",
"logs:GetDataProtectionPolicy",
"logs:GetLogEvents",
"logs:GetLogGroupFields",
"logs:ListTagsLogGroup",
"logs:PutDataProtectionPolicy",
"logs:PutDestination",
"logs:PutDestinationPolicy",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:StartQuery",
"logs:TagLogGroup",
"logs:UntagLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:{LOG_GROUP_NAME}:*"
}
]
}
3. Create an IAM Role that will be used to access your Log Group. Select the AWS Account option for the Trusted Entity Type, then select Another AWS Account and enter 623947394061 for the Account ID.
4. After clicking Next, search for and select the name of the IAM Policy you created in Step 2. Then click Next to enter a Role Name and create the role.
5. Copy down both the ARN of this IAM Role and the name of your Log Group - these will be used to register your Service Instance and enable customer-facing DataPower logging.
6. Open a support ticket with API Connect to finalize enabling customer-facing logging, providing the ARN of the IAM Role, along with the region and the name of your Log Group.
Customer-Facing DataPower Logging in Action
Please see the following video for an example of how to make use of the new customer-facing DataPower logging feature.