I want to restrict access to Amazon CloudWatch Logs for a specific user or AWS service.
Short description
To restrict access to your log groups, use identity-based AWS Identity and Access Management (IAM) policies for users and service-linked roles for AWS services.
Resolution
Restrict access to CloudWatch Logs for a specific user
Use the following IAM policy to grant access to the DescribeLogGroups action that provides the minimum necessary permissions to list specified log groups.
Example IAM policy:
Note: Replace example-region with your AWS Region and example-log-group with the your log group name.
{
"Version":"2012-10-17",
"Statement":[
{
"Action": [
“logs:Describe*”,
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"logs:StartLiveTail",
"logs:StopLiveTail",
"cloudwatch:GenerateQuery"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:example-region:123456789012:log-group:example-log-group:*"
}
]
}
Restrict access to CloudWatch Logs for an AWS service
For AWS services that interact with CloudWatch Logs, use service-linked roles. Service-linked roles are automatically generated when you set up a service with CloudWatch Logs, and include all the necessary permissions.
Note: To configure IAM permissions, use the AWS Management Console. To manage CloudWatch Logs resource-based policies, use API calls.