Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM resources requires region and account id?

0

I tried simplifying my IAM policy https://github.com/kaihendry/terraform-aws-canary/blob/main/iam.tf#L39 from

"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/cwsyn-*"

to

"arn:aws:logs:::log-group:/aws/lambda/cwsyn-*"

And now it doesn't work. Why?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access Management
Sprache
English
profile picture
hendry
gefragt vor einem Jahr798 Aufrufe
2 Antworten
0
Akzeptierte Antwort

ARN of CloudWatch Log Group requires region code and account id in the path. If you do not want to specify region code/account name in the path, you should try like below.

"arn:aws:logs:*:*:log-group:/aws/lambda/cwsyn-*"

Paths can include a wildcard character, namely an asterisk (*). Please refer to below link.

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

profile pictureAWS
Eunsu_Shin
beantwortet vor einem Jahr
0

Please refer to the details on the resources ARN : https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

arn:partition:service:region:account-id:resource-id arn:partition:service:region:account-id:resource-type/resource-id arn:partition:service:region:account-id:resource-type:resource-id

To look up the ARN format for a specific AWS resource, open the Service Authorization Reference, open the page for the service, and navigate to the resource types table.

Looks like for log group it is

arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}

Note : You can specify IAM and AWS STS ARNs using the following syntax. The Region portion of the ARN is blank because IAM resources are global. Reference : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

arn:aws:iam::account:root  
arn:aws:iam::account:user/user-name-with-path
arn:aws:iam::account:group/group-name-with-path
arn:aws:iam::account:role/role-name-with-path
arn:aws:iam::account:policy/policy-name-with-path
arn:aws:iam::account:instance-profile/instance-profile-name-with-path
arn:aws:sts::account:federated-user/user-name
arn:aws:sts::account:assumed-role/role-name/role-session-name
arn:aws:iam::account:mfa/virtual-device-name-with-path
arn:aws:iam::account:u2f/u2f-token-id
arn:aws:iam::account:server-certificate/certificate-name-with-path
arn:aws:iam::account:saml-provider/provider-name
arn:aws:iam::account:oidc-provider/provider-name
profile pictureAWS
EXPERTE
AWS-User-Nitin
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt