Login/Register
Cloud watch log access to an IAM user for only only one specific log group
Asked Answered
amazon-web-servicesamazon-iamamazon-cloudwatchamazon-cloudwatchlogs
L

2

6

I initially tried with all the json policies in the below link. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl

And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogRecord",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:FilterLogEvents",
                "logs:GetLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
        }
    ]
}

But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "logs:ResourceTag/Team": "Green"
                }
            }
        }
    ]
}

Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.

Landgrabber answered 29/5, 2020 at 11:36 Comment(1)
DescribeLogGroups is not a resource level action, you can not archive it.Peddada
H
2

We have been struggling with the same thing for a while now. The solution we reached consisted in giving logs:DescribeLogGroups to all log groups while giving more granular access to queries and livetail.

This way the user sees all the log groups in the main page but can only see streams and perform search and livetail for 1 log group.

The IAM policy goes as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "logs:StartLiveTail",
                "logs:StopLiveTail",
                "cloudwatch:GenerateQuery"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:us-east-2:XXXXXXXXXXXX:log-group:SampleLogGroupName:*"
        }
    ]
}
Herefordshire answered 5/2, 2024 at 8:44 Comment(3)
Also may need logs:DescribeLogStreams.Eviaevict
@Eviaevict this should be covered by "logs:Describe*"Herefordshire
@AdhamNm, According to AWS, logs:StopQuery and logs:StopLiveTail has no resource base interaction. They operate only on a given live tail session or a given CloudWatch Logs Insights query, which are not categorized as resources. As a result, when you specify the Resource field in IAM policies for these operations, you must set the value of the Resource field as *. Ref: docs.aws.amazon.com/AmazonCloudWatch/latest/logs/…Candelabra
S
1

But it is able to see the list of other log groups as well

That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.

In this case, you can either not give access at all or give access to list everything.

Specimen answered 17/2, 2023 at 21:49 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.