Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to give a user access only to a specific group of cloudwatch logs

0

Hello

I have created a user and I want to give him the permission to access only a specific group of cloudwatch logs. For this, I have assigned the following strategy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
	    "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:/ecs/copro*"
        }
    ]
}

When the user tries to access cloudwatch this is the error message he gets :

User: arn:aws:iam::<accountId>:user/poreck is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:<aws-region>:<accountId>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

I understand that the action logs:DescribeLogGroups is not applicable to a specific resource. Because if in the strategy I replace the value of the **Resource **field with "*", the user has access to all the log groups and I don't want that.

My question is to know if there is a way to bypass this blocking by modifying the strategy. Or if there is a simple external solution that consists in retrieving these specific log groups.

Thanks for any help

Sincerely

  • Dmitry Balabanov
    vor 2 Jahren

    Could you please elaborate how that particular user wants to access the logs? Via the AWS Management Console? Via AWS CLI? AWS SDK for a programming language?

Themen
Management & Unternehmensführung
Tags
Log-GruppenAmazon CloudWatch-Protokolle
Sprache
English
aldiallo
gefragt vor 2 Jahren3699 Aufrufe
1 Antwort
0

The ARN for CloudWatch Log Groups follows this pattern: arn:aws:logs:us-east-1:123456789012:log-group:/loggroupname:*

Note the last :*

That references each log stream. Please try modifying your policy as such:

{
    "Version": "2012-10-17",
    "Statement": [
        {
	    "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:<full-log-group-name>:*"
        }
    ]
}
AWS
AWS-Harrison
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt