Limit access to CloudWatch Logs Insights query results

Question

Hey guys,

I created an IAM Identity Center permission set and group. The permission set attached to the group only allows the users inside the group to view CloudWatch logs generated by a specific account (our Crypto account), the statement looks like this:

**Note:** The statement with the ID "DescribeCryptoTrail" limits the user to only view logs from our Crypto account.

```
"Statement":{        
 "Sid": "DescribeCryptoTrail",         
 "Action": "logs:GetLogEvents",         
 "Effect": "Allow",         
 "Resource": [             
    "arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
    ]
} 
```
This works well since the user gets a permission denied error when he tries to view logs from a different account, but now my concern is how do I limit access to the queries the users can return in CloudWatch Logs Insights? For example, the users in the Crypto-Access group should only be able to return queries that were generated by the Crypto account.

So far, I have tried using statements such as:

```
{
"Sid": "AdditionalPermissions",         
        "Action": 
         [             
            "logs:FilterLogEvents"
         ],         
        "Effect": "Allow",         
        "Resource": 
        [             
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"         
        ]     
},     
{         
"Sid": "AdditionalPermissionsTwo",         
        "Action": 
         [             
           "logs:DescribeQueryDefinitions"         
         ],         
         "Effect": "Allow",         
         "Resource": 
         [             
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"         
         ]     
}
```

This is a similar approach as to what worked for granting access to the CloudWatch logs, but this time it seems I need to grant access to the entire log group judging from the error:

```
not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:* because no identity-based policy allows the logs:FilterLogEvents action
```
This indicates that I need to provide access to the main log group, I can't limit it to a specific path in the log group.

Is there any other way I can force query results based on the IAM policy, or maybe a way I can require a user to include a filter in the query such as **filter recipientAccountId = "CRYPTO-ACCOUNT-ID"**

Thanks in advance

Answer

Hello,

As per the AWS Doc on [Actions, resources, and condition keys for Amazon CloudWatch Logs](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-actions-as-permissions), the APIs - `FilterLogEvents` only supports `log-group*` Resource types.

Note - `log-group` resource ARN -> `arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}`

However, as evident from the policy above, you are trying to restrict `FilterLogEvents` API with a log stream resource type instead ->  `arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*`.

Note - `log-stream` resource ARN -> `arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}`

Additionally note that the "Run Query" button calls "FilterLogEvents" action in the back end. Hence, you can only restrict it to a specific log group.
__________
__________

Similarly, `DescribeQueryDefinitions` API currently doesn't support any Resource ARN restriction as evident from above AWS Doc as well. **Remember if there is no value for this column (Resource types), you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement.** Hence, you can't restrict it with a log group or log stream resource type. It's basically an all or nothing List API operation which you can't restrict at the given time.

*Also, please note that these two IAM actions/Cloudwatch Logs APIs currently do not support any condition keys either.

Limit access to CloudWatch Logs Insights query results

관련 콘텐츠