How to craft a custom AWS CloudWatch Read-Only policy tailored for a specific log group, including permissions for Logs Insights?

0

I was use this code it's working in the log groups dashboard but the Logs insights dashboard i getting some error i was attached below code and screen shoot.

The code : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": "" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogGroupFields" ], "Resource": "arn:aws:logs:ap-south-1:744096931876:log-group:/aws/lambda/Password-generate:" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" } ] }

Enter image description here

KARTHIK
posta un anno fa353 visualizzazioni
1 Risposta
1
Risposta accettata

Hello.

I modified the policy as follows.
I have included all the policies used by CloudWatch Logs Insights, so it will probably work.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeQueryDefinitions",
                "logs:DescribeQueries"
                "logs:GetLogEvents", 
                "logs:StopQuery", 
            ], 
            "Resource": "*" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "logs:DescribeLogStreams", 
                "logs:StartQuery", 
                "logs:GetQueryResults", 
                "logs:GetLogGroupFields" 
            ], 
            "Resource": "arn:aws:logs:ap-south-1:744096931876:log-group:/aws/lambda/Password-generate:*" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "cloudwatch:GetMetricData", 
                "cloudwatch:GetMetricStatistics", 
                "cloudwatch:ListMetrics" 
            ], 
            "Resource": "*" 
        } 
    ] 
}
profile picture
ESPERTO
con risposta un anno fa
profile pictureAWS
ESPERTO
verificato un anno fa
profile pictureAWS
ESPERTO
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande