How do I resolve the CloudWatch error "Unable to enable logging. Policy document length breaking Cloudwatch Logs Constraints" when I try to create an AWS resource?

3 minute read
0

When I try to create an AWS resource, I receive the Amazon CloudWatch error "Unable to enable logging. Policy document length breaking Cloudwatch Logs Constraints".

Short description

When you turn on CloudWatch Logs for your AWS services or create a new AWS resource, you might get the following error message:

"Unable to enable logging. Policy document length breaking Cloudwatch Logs Constraints"

CloudWatch resource policies have a maximum allowed character length of 5120. When your policy has more than 5120 characters, you get the preceding error. You can review the error details in the AWS CloudTrail Event history.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You can use only the AWS CLI to check CloudWatch resource policies.

To check your current resource policies and modify them, complete the following steps:

  1. Run the describe-resource-policies AWS CLI command to check your current CloudWatch resource policies:

    aws logs describe-resource-policies --region-name > resource.json
  2. Save the output to a JSON file that's named resource.json.

  3. Copy the AWSLogDeliveryWrite20150319 policy from resource.json, and then paste the policy into a text editor.

  4. To reduce the number of characters in your policy, do the following:
    Remove entries that you don't use, such as resources and log streams.
    Replace resource ARNs with the wildcard character *.
    Attach a new resource policy that has the required permissions.

  5. Run the put-resource-policy AWS CLI command to replace the AWSLogDeliveryWrite20150319 resource policy with your edited version in resource.json:

    aws logs put-resource-policy --policy-document file://resource.json --policy-name  AWSLogDeliveryWrite20150319 

When you add the new resource policy, you might get the following error message that's related to CloudWatch quotas:

"Error: creating CloudWatch Logs Resource Policy (name): operation error CloudWatch Logs: PutResourcePolicy, exceeded maximum number of attempts, https response error StatusCode: 400, RequestID: 3d123ce1-f123-4d12-12b8-abc1234ba1a9, LimitExceededException: Resource limit exceeded."

You can have a maximum 10 CloudWatch Logs resource policies in your AWS account for each AWS Region. You can't change this quota. To resolve this issue, run the delete-resource-policy AWS CLI command to remove an existing policy:

aws logs delete-resource-policy --policy-name POLICY_NAME

When you have fewer than 10 resource policies in your Region, you can create a new resource policy.

Related information

Viewing recent management events with the console

CloudWatch Logs quotas

Enable logging from AWS services