How do I resolve the CloudWatch error "Unable to enable logging. Policy document length breaking CloudWatch Logs Constraints" when I try to create an AWS resource?
When I try to create an AWS resource, I receive the Amazon CloudWatch Logs error "Unable to enable logging. Policy document length breaking CloudWatch Logs Constraints".
Short description
When you turn on CloudWatch Logs for your AWS services or create a new AWS resource, you might get the following error message:
"Unable to enable logging. Policy document length breaking CloudWatch Logs Constraints"
CloudWatch resource policies have a maximum allowed character length of 5120. When your policy has more than 5120 characters, you get the preceding error. You can review the error details in the AWS CloudTrail Event history.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
You can use only the AWS CLI to check CloudWatch resource policies.
To check your current resource policies and modify them, complete the following steps:
-
Run the describe-resource-policies AWS CLI command to check your current CloudWatch resource policies:
aws logs describe-resource-policies --REGION-NAME > resource.jsonNote: Replace REGION-NAME with your AWS Region.
-
Save the output to a JSON file that's named resource.json.
-
Copy the AWSLogDeliveryWrite20150319 policy from resource.json, and then paste the policy into a text editor.
-
To reduce the number of characters in your policy, do the following:
Remove entries that you don't use, such as resources and log streams.
Replace resource Amazon Resource Names (ARNs) with the wildcard character *.
Attach a new resource policy that has the required permissions.Example resource policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:869614222995:log-group:aws-waf-logs-albwafs:log-stream:xyz", "arn:aws:logs:us-east-1:869614222995:log-group:aws-s3:log-stream:abc" ], "Condition": { "StringEquals": { "aws:SourceAccount": "869614222995" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:us-east-1:869614222995:*" } } } ] }Note: The example shows a policy with two resources. When the resource policy exceeds the 5120 character limit, CloudWatch automatically adds the entry /aws/vendedlogs/* to the policy. Then, you must create new log groups with the prefix /aws/vendedlogs/. If you want to use custom log group names, then edit the policy to include your specific resource names. Make sure to stay within the character limit.
-
Run the put-resource-policy AWS CLI command to replace the AWSLogDeliveryWrite20150319 resource policy with your edited version in resource.json:
aws logs put-resource-policy --policy-document file://resource.json --POLICY-NAME AWSLogDeliveryWrite20150319Note: Replace POLICY-NAME with the name of the resource policy you want to replace.
When you add the new resource policy, you might get the following error message that's related to CloudWatch quotas:
"Error: creating CloudWatch Logs Resource Policy (name): operation error CloudWatch Logs: PutResourcePolicy, exceeded maximum number of attempts, https response error StatusCode: 400, RequestID: 3d123ce1-f123-4d12-12b8-abc1234ba1a9, LimitExceededException: Resource limit exceeded."
You can have a maximum 10 CloudWatch Logs resource policies in your AWS account for each Region. You can't change this quota. To resolve this issue, run the delete-resource-policy AWS CLI command to remove an existing policy:
aws logs delete-resource-policy --policy-name POLICY-NAME
Note: Replace POLICY-NAME with the name of the resource policy you want to delete.
When you have fewer than 10 resource policies in your Region, you can create a new resource policy.
Related information
- Language
- English
Relevant content
- AWS OFFICIALUpdated 2 years ago
