AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Least-privilege Cloudwatch Logs policy for API Gateway

0

Hey!

I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console.

My current (anonymised) effort looks like this:

{
    "Statement": [
        {
            "Action": "logs:DescribeLogGroups",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "LogGroups"
        },
        {
            "Action": [
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:CreateLogStream"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*",
            "Sid": "LogStreams"
        }
    ],
    "Version": "2012-10-17"
}

When I try to set the cloudwatch log arn in the console, I get an error The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy.. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs.

The trust relationship is straightfoward

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Any ideas?

주제
서버리스프론트엔드 웹 및 모바일네트워킹 및 콘텐츠 전송보안, 신원 및 규정 준수관리 및 거버넌스
태그
아마존 API 게이트웨이IAM 정책아마존 CloudWatch 로그
언어
English
BobTheMighty
질문됨 2년 전1748회 조회
1개 답변
2
수락된 답변

I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).

The following sample should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchAccess1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
        },
        {
            "Sid": "CloudWatchAccess2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
        }
    ]
}
profile picture
joahna
답변함 2년 전
  • BobTheMighty
    2년 전

    API Gateway uses the same CloudWatch logs IAM role across the region

    This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠