1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
Hello.
If I set the following IAM policy to the EC2 IAM role, will I be able to output?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
]
}
]
}
Resource-based policies define who is allowed to perform which actions, so wouldn't it be necessary to allow the ARN of the EC2 IAM role in "Principal"?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:role/ec2-role-name"
},
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
}
}
}
]
}
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 일 년 전
Hi,
Yes, you will be able to output the logs if you attach that policy to the EC2 IAM role. However, in my case, I am trying to output session manager logs by enabling logging from SSM directly, without using an IAM policy.
I assume the policy you are referring to is an IAM policy and not a CloudWatch Logs resource policy.