AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Least-privilege Cloudwatch Logs policy for API Gateway

0

Hey!

I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console.

My current (anonymised) effort looks like this:

{
    "Statement": [
        {
            "Action": "logs:DescribeLogGroups",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "LogGroups"
        },
        {
            "Action": [
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:CreateLogStream"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*",
            "Sid": "LogStreams"
        }
    ],
    "Version": "2012-10-17"
}

When I try to set the cloudwatch log arn in the console, I get an error The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy.. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs.

The trust relationship is straightfoward

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Any ideas?

トピック
サーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信セキュリティ、アイデンティティ、コンプライアンス管理とガバナンス
タグ
Amazon API GatewayIAM ポリシーAmazon CloudWatch Logs
言語
English
BobTheMighty
質問済み 2年前1747ビュー
1回答
2
承認された回答

I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).

The following sample should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchAccess1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
        },
        {
            "Sid": "CloudWatchAccess2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
        }
    ]
}
profile picture
joahna
回答済み 2年前
  • BobTheMighty
    2年前

    API Gateway uses the same CloudWatch logs IAM role across the region

    This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ