Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Least-privilege Cloudwatch Logs policy for API Gateway

0

Hey!

I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console.

My current (anonymised) effort looks like this:

{
    "Statement": [
        {
            "Action": "logs:DescribeLogGroups",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "LogGroups"
        },
        {
            "Action": [
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:CreateLogStream"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*",
            "Sid": "LogStreams"
        }
    ],
    "Version": "2012-10-17"
}

When I try to set the cloudwatch log arn in the console, I get an error The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy.. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs.

The trust relationship is straightfoward

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Any ideas?

Temas
Sin servidorWeb y móvil front-endRedes y entrega de contenidoSeguridad, identidad y cumplimientoGestión y gobierno
Etiquetas
Amazon API GatewayPolíticas de IAMAmazon CloudWatch Logs
Idioma
English
BobTheMighty
preguntada hace 2 años1748 visualizaciones
1 Respuesta
2
Respuesta aceptada

I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).

The following sample should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchAccess1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
        },
        {
            "Sid": "CloudWatchAccess2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
        }
    ]
}
profile picture
joahna
respondido hace 2 años
  • BobTheMighty
    hace 2 años

    API Gateway uses the same CloudWatch logs IAM role across the region

    This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante