在使用Cloud Formation创建Amazon Elasticsearch服务时，出现了CloudWatch资源访问策略错误。

2021更新

Amazon Web Services推出了CloudFormation资源 AWS::Logs::ResourcePolicy，用于在CF中定义CloudWatch Logs的策略。我发现的主要问题是它只接受一个真正的字符串作为值。尝试使用Ref，Join等组装字符串会被拒绝。如果有人能够使其工作，那将是很好的。

使用YAML编写比JSON更容易，因为JSON需要转义所有的"字符。

OSLogGroupPolicy:
    Type: AWS::Logs::ResourcePolicy
    Properties:
      PolicyName: AllowES
      PolicyDocument: '{"Version": "2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service": ["es.amazonaws.com"]},"Action":["logs:PutLogEvents","logs:CreateLogStream"],"Resource":"*"}]}'

我认为这里存在一些混淆，关于更新/设置哪些策略以启用ES将内容写入日志组。

我认为你应该将PolicyDocESIndexSlow策略应用于CloudWatch Logs。

并且据我所记，在 CloudFormation 中无法完成此操作。您必须使用put-resource-policy相应的API调用或控制台，如下所示:

• 查看 Amazon Elasticsearch Service 慢日志

最终的代码应该是这样的，
部署ES lambda_function.py

import logging
import time

import boto3
import json
from crhelper import CfnResource

logger = logging.getLogger(__name__)
helper = CfnResource(json_logging=False, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120)

try:
    # Init code goes here
    pass
except Exception as e:
    helper.init_failure(e)


@helper.create
@helper.update
def create(event, _):
    logger.info("Got Create/Update")

    my_log_group_arn = event['ResourceProperties']['MYLOGGROUPArn']

    client = boto3.client('logs')

    policy_document = dict()
    policy_document['Version'] = '2012-10-17'
    policy_document['Statement'] = [{
        'Sid': 'ESLogsToCloudWatchLogs',
        'Effect': 'Allow',
        'Principal': {
            'Service': [
                'es.amazonaws.com'
            ]
        },
        'Action': 'logs:*',
    }]

    policy_document['Statement'][0]['Resource'] = my_log_group_arn 
    client.put_resource_policy(policyName='ESIndexSlowPolicy', policyDocument=json.dumps(policy_document))

    helper.Data['success'] = True
    helper.Data['message'] = 'ES policy deployment successful'

    # To return an error to Cloud Formation you raise an exception:
    if not helper.Data["success"]:
        raise Exception('Error message to cloud formation')

    return "MYESIDDEFAULT"


@helper.delete
def delete(event, _):
    logger.info("Got Delete")
    # Delete never returns anything. Should not fail if the underlying resources are already deleted.
    # Desired state.

    try:
        client = boto3.client('logs')
        client.delete_resource_policy(policyName='ESIndexSlowPolicy')

    except Exception as ex:
        logger.critical(f'ES policy delete failed with error [{repr(ex)}]')


def lambda_handler(event, context):
    helper(event, context)

云形成模板中的一些附加组件

 MYLAMBDAROLE:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/AmazonESFullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
      RoleName: !Join
        - '-'
        - - lambda-role
          - !Ref 'AWS::Region'

  MYLAMBDADEPLOY:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket: es-bucket-for-lambda-ta86asdf596
        S3Key: es.zip
      FunctionName: deploy_es
      Handler: lambda_function.lambda_handler
      MemorySize: 128
      Role: !GetAtt
        - MYLAMBDAROLE
        - Arn
      Runtime: python3.8
      Timeout: 60

  MYESSETUP:
    Type: 'Custom::MYESSETUP'
    Properties:
      ServiceToken: !GetAtt
        - MYLAMBDADEPLOY
        - Arn
      MYLOGGROUPArn: !GetAtt
        - MYLOGGROUP
        - Arn
    DependsOn:
      - MYLAMBDADEPLOY
      - MYLOGGROUP

只需在MYESDOMAIN下方添加以下DependsOn

DependsOn:
  - MYESSETUP

在 AWS::Elasticsearch::Domain 资源中添加 DependsOn，可以解决 AWS::Logs::ResourcePolicy 的问题。
示例代码：

  ESLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: !Sub '/aws/OpenSearchService/domains/${NamePrefix}-es/application-logs'
      RetentionInDays: 30

  ESLogGroupPolicy:
    Type: AWS::Logs::ResourcePolicy
    DependsOn: ESLogGroup
    Properties:
      PolicyName: !Sub "es-logs-access-policy"
      PolicyDocument: '{"Version": "2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service": ["es.amazonaws.com"]},"Action":["logs:PutLogEvents","logs:CreateLogStream"],"Resource":"*"}]}'

  ESDomain:
    Type: AWS::Elasticsearch::Domain
    DependsOn: [ESLogGroupPolicy]
    Properties:
      DomainName: !Sub "${NamePrefix}-es"
      ...
      LogPublishingOptions:
        ES_APPLICATION_LOGS:
          CloudWatchLogsLogGroupArn: !GetAtt ESLogGroup.Arn
          Enabled: true

对于使用 CDK V3 构造的人：

    const domain = new os.Domain(this, "domain", {...
    domain.addAccessPolicies(
      new iam.PolicyStatement({
        actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
        resources: [
          `${osAppLogGroup.logGroupArn}/*`,
          `${osSlowSearchLogGroup.logGroupArn}/*`,
          `${osSlowIndexLogGroup.logGroupArn}/*`
        ],
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('es.amazonaws.com')],
      })
    );