1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Hello.
If I set the following IAM policy to the EC2 IAM role, will I be able to output?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
]
}
]
}
Resource-based policies define who is allowed to perform which actions, so wouldn't it be necessary to allow the ARN of the EC2 IAM role in "Principal"?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:role/ec2-role-name"
},
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
}
}
}
]
}
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 10 mois
- AWS OFFICIELA mis à jour il y a 3 ans
Hi,
Yes, you will be able to output the logs if you attach that policy to the EC2 IAM role. However, in my case, I am trying to output session manager logs by enabling logging from SSM directly, without using an IAM policy.
I assume the policy you are referring to is an IAM policy and not a CloudWatch Logs resource policy.