Unable to output session manager logs in CloudWatchLogs using CloudWatchLogs resource policy

Question

I am trying to output session manager logs in CloudWatchLogs using a resource policy (not using IAM). However, I am unable to see any session logs in my log group streams. Below are the configurations I have made.

Session Manager:
1. CloudWatch logging is enabled for sending session logs to CloudWatch. 
2. The logging option set to stream session logs.
3. The CloudWatch log group is set to 'session-manager'.
4. Enforce CloudWatch log encryption is set to 'No'.

CloudWatch:
1. In Log group details for 'session-manager', I have not set any KMS Key ID or Data protection, and the retention is set to 'Never expire'.

EC2:
1. My instance has 'AmazonSSMRoleForInstancesQuickStep' role with the 'AmazonSSMManagedInstanceCore' policy.

Steps I have taken:
1. I used CloudShell and executed the following commands:
・To put the resource policy:

```
aws logs put-resource-policy --policy-name AllowSessionManagerLogsToCloudWatch --policy-document file://ssmpolicy.json 
```

・To ensure that the policy has been created: (only the 'AllowSessionManagerLogsToCloudWatch' policy exist)

```
aws logs describe-resource-policies --region ap-northeast-1
```

2. I connected to the EC2 instance using Session Manager, executed a few commands, and terminated the session. 
-> Since I have also enabled s3 logging, the logs are successfully delivered to the specified s3 bucket. However, there are no output logs in the CloudWatch Log group.

The policy I am using is as follows. In the policy, I also tried including "ec2.amazonaws.com" and "delivery.logs.amazonaws.com".

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite20150319",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ssm.amazonaws.com"
        ]
      },
      "Action": [
        "logs:*"
      ],
      "Resource": [
        "arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": ["0123456789"]
        },
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
        }
      }
    }
  ]
}
```

Answer

Hello.

If I set the following IAM policy to the EC2 IAM role, will I be able to output?  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
            ]
        }
    ]
}
```

Resource-based policies define who is allowed to perform which actions, so wouldn't it be necessary to allow the ARN of the EC2 IAM role in "Principal"?  
```
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AWSLogDeliveryWrite20150319",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::AWS-account-ID:role/ec2-role-name"
        },
        "Action": [
          "logs:*"
        ],
        "Resource": [
          "arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
        ],
        "Condition": {
          "StringEquals": {
            "aws:SourceAccount": ["0123456789"]
          },
          "ArnLike": {
            "aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
          }
        }
      }
    ]
  }
```

Unable to output session manager logs in CloudWatchLogs using CloudWatchLogs resource policy

Relevanter Inhalt