AWSTemplateFormatVersion: '2010-09-09' Description: This template creates a Kinesis Data Streams, with the relevant role, a CloudWatch Logs destination, a Lambda function and its role for creating CloudWatch filter subscription Parameters: LambdaFunctionName: Type: String Description: Name of the Lambda function AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-.]*[0-9a-zA-Z])*$ KinesisStreamName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-.]*[0-9a-zA-Z])*$ Description: Name of the Kinesis Data Streams Type: String Resources: KinesisDataSream: Type: AWS::Kinesis::Stream Properties: Name: !Ref KinesisStreamName RetentionPeriodHours: 24 ShardCount: 1 StreamEncryption: EncryptionType: KMS KeyId: alias/aws/kinesis KinesisIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - logs.amazonaws.com Policies: - PolicyName: PermissionsPolicyForCWL PolicyDocument: Version: 2012-10-17 Statement: - Action: - kinesis:PutRecord Effect: Allow Resource: - !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/* LogDestination: Type: AWS::Logs::Destination Properties: DestinationName: devDestination RoleArn: !GetAtt KinesisIAMRole.Arn TargetArn: !GetAtt KinesisDataSream.Arn DestinationPolicy: > {"Version" : "2012-10-17","Statement":[{"Effect": "Allow", "Principal" : {"AWS" : "${AWS::AccountId}"}, "Resource": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:destination:devDestination","Action": "logs:PutSubscriptionFilter"}]} lambdaFunction: Type: AWS::Lambda::Function Properties: Code: ZipFile: | import boto3 import logging import re import os def lambda_handler(event, context): cloudwatch_logs = boto3.client('logs') # Read lambda function name from the event and use it for log group lambda_arn = event['detail']['resources'][0]['arn'] log_group_to_subscribe =(re.search('function:(.+)', lambda_arn)).group(1) DESTINATION_STREAM = os.environ['destination_stream'] ROLE_ARN= os.environ['role_arn'] FILTER_NAME = 'Dummy_Filter' LOG_GROUP = "/aws/lambda/" + log_group_to_subscribe # Create a subscription filter cloudwatch_logs.put_subscription_filter( destinationArn=DESTINATION_STREAM, filterName= FILTER_NAME, filterPattern=' ', logGroupName=LOG_GROUP, roleArn=ROLE_ARN ) Environment: Variables: destination_stream : !GetAtt KinesisDataSream.Arn role_arn : !GetAtt KinesisIAMRole.Arn Description: Lambda function that will receive the event and Create a subscription filter FunctionName: !Ref LambdaFunctionName Handler: index.lambda_handler MemorySize: 128 Role: !GetAtt lambdaIAMRole.Arn Runtime: python3.8 lambdaIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Policies: - PolicyName: LogGrouppoRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - logs:PutSubscriptionFilter Effect: Allow Resource: - !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:* - Action: - logs:CreateLogGroup Effect: Allow Resource: - !Sub arn:aws:logs:*:${AWS::AccountId}:* - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:* - Action: - iam:PassRole Effect: Allow Resource: - !GetAtt KinesisIAMRole.Arn Outputs: lambdaArn: Value: !GetAtt lambdaFunction.Arn