How do I restrict access to CloudWatch Logs for a specific user or AWS service?

Short description

To restrict access to your log groups, use identity-based AWS Identity and Access Management (IAM) policies for users and service-linked roles for AWS services.

Resolution

Restrict access to CloudWatch Logs for a specific user

Use the following IAM policy to grant access to the DescribeLogGroups action that provides the minimum necessary permissions to list specified log groups.

Example IAM policy:

Note: Replace example-region with your AWS Region and example-log-group with the your log group name.

{
   "Version":"2012-10-17",
   "Statement":[
      {
      "Action": [
                      
                  “logs:Describe*”,
                 "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "logs:StartLiveTail",
                "logs:StopLiveTail",
                "cloudwatch:GenerateQuery"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:logs:example-region:123456789012:log-group:example-log-group:*"
      }
   ]
}

Restrict access to CloudWatch Logs for an AWS service

For AWS services that interact with CloudWatch Logs, use service-linked roles. Service-linked roles are automatically generated when you set up a service with CloudWatch Logs, and include all the necessary permissions. 

Note: To configure IAM permissions, use the AWS Management Console. To manage CloudWatch Logs resource-based policies, use API calls.