1回答
- 新しい順
- 投票が多い順
- コメントが多い順
2
I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).
The following sample should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchAccess1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
},
{
"Sid": "CloudWatchAccess2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
}
]
}
回答済み 2年前
関連するコンテンツ
- AWS公式更新しました 3年前
- AWS公式更新しました 2年前
This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.