what credentials are needed for using only role when reading logs from aws cloudwatch


We would like to read log group events from ec2 machine using aws sdk we would like to use only role_arn without secret/access key what is the minimum permissions that this role need? currently it is working with CloudWatchLogsFullAccess and STS:full but we think it is redundant Thanks

3 Answers

Hi! There are some examples here for least privilege log read permissions. Example 3 without the create and put actions should give you what you require: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html

answered 2 years ago
  • I concur with @Jonathan_R; Example 3: Allow access to one log group sounds like it is the resolution to your problem.

    Cheers, Jay

  • I dont see there any STS related permission will it work with only using role_arn and not secret and access key?


Hi AWS-User-1046823,

You can use an Open ID Connect (OIDC) provider like Amazon Cognito to issue tokens to your SDK client and then [assume a role with WebIdentity] ( https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). The trust policy for the role would look something like:

"Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::11112222333:oidc-provider/token.actions.githubusercontent.com"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "audience.value.configured.on.idp"

In terms of least privilege, I would start with the AWS-managed policy CloudWatchLogsReadOnlyAccess, attach to role above. Then use IAM Access Analyzer Policy Generator on the role. Run your use case for a day or two, then the Policy Generator will create a least privilege policy based on CloudTrail events that you can use to replace CloudWatchLogsReadOnlyAccess.

answered 2 years ago

Fundamentally all actions (which are API calls) in AWS are authenticated and authorized. Somewhere and somehow an Access Key, Secret Key, and Token will have been generated and will be used in the process of making the calls that you wish to make. There are approaches to provide other processes which have the access to perform actions which the identity you've assumed or are using does not have in order to provide separation of duties and/or least privilege.

If I understand your request (you want to run some automation from an Amazon EC2 instance to pull data or whole logs from an Amazon Cloudwatch Log Group). Right now your automation is using a role that it has to assume with the appropriate permissions and therefore has STS:AssumeRole among other permissions you do not wish it to have. An approach would be to use an Amazon EC2 Instance Profile (IAM Policy attached to the instance) with the appropriate Cloudwatch Log Group permissions. This does have the risk that any process executed on that EC2 will have the same ability and privileges.

Another approach which provides better separation of duties and keeps the human away from the source of truth for the data, assuming the logs, or data in the logs, is accessed in a repeatable and known manner, is to leverage AWS Lambda to access the data and create the results or pull the logs into an Amazon Elastic FileShare or Amazon FSx network shared folder for access on the identified Amazon EC2 instance. This can remove the use of any STS actions and provides a native OS approach to gaining access to files. Another benefit is you reduce the need for local file storage on the EC2 instance ephemeral or Amazon EBS attached volumes.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions