How do I restrict access to CloudWatch Logs for a specific user or AWS service?

Lesedauer: 1 Minute

I want to restrict access to Amazon CloudWatch Logs for a specific user or AWS service.

Short description

To restrict access to your log groups, use identity-based AWS Identity and Access Management (IAM) policies for users and service-linked roles for AWS services.


Restrict access to CloudWatch Logs for a specific user

Use the following IAM policy to grant access to the DescribeLogGroups action that provides the minimum necessary permissions to list specified log groups.

Example IAM policy:

Note: Replace example-region with your AWS Region and example-log-group with the your log group name.

      "Action": [
      "Effect": "Allow",
      "Resource": "arn:aws:logs:example-region:123456789012:log-group:example-log-group:*"

Restrict access to CloudWatch Logs for an AWS service

For AWS services that interact with CloudWatch Logs, use service-linked roles. Service-linked roles are automatically generated when you set up a service with CloudWatch Logs, and include all the necessary permissions. 

Note: To configure IAM permissions, use the AWS Management Console. To manage CloudWatch Logs resource-based policies, use API calls.