Cannot Update Trail with CloudWatch Log Group via Boto3


Hey all,

I'm trying to update my CloudTrail trail with a CloudWatch Log Group. I firstly create an IAM Role (that will be assumed by CloudTrail), I then create the CloudWatch Group and run the update_trail Boto3 API call. The error I receive when trying to update is:

"errorCode": "InvalidCloudWatchLogsRoleArnException"
    "errorMessage": "Access denied. Check the trust relationships for your role."

The API request extracted from CloudTrail itself looks like:

    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<principal_id>:auto-remediate-dev",
        "arn": "<sts_arn>",
        "accountId": "<acc_num>",
        "accessKeyId": "<access_key>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<principal_id>",
                "arn": "arn:aws:iam::<acc_num>:role/auto-remediate-dev-AutoRemediate-<region>-lambdaRole",
                "accountId": "<acc_num>",
                "userName": "auto-remediate-dev-AutoRemediate-<region>-lambdaRole"
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-05-15T09:13:30Z"
    "eventTime": "2019-05-15T09:58:20Z",
    "eventSource": "",
    "eventName": "UpdateTrail",
    "awsRegion": "<region>",
    "sourceIPAddress": "",
    "userAgent": "Boto3/1.9.42 Python/3.7.3 Linux/4.14.109-80.92.amzn1.x86_64 exec-env/AWS_Lambda_python3.7 Botocore/1.12.42",
    "errorCode": "InvalidCloudWatchLogsRoleArnException",
    "errorMessage": "Access denied. Check the trust relationships for your role.",
    "requestParameters": {
        "name": "MaratTest",
        "cloudWatchLogsLogGroupArn": "arn:aws:logs:<region>:<acc_num>:log-group:/aws/cloudtrail/MaratTest:*",
        "cloudWatchLogsRoleArn": "arn:aws:iam::<acc_num>:role/CloudTrail-CloudWatchLogs-MaratTest"
    "responseElements": null,
    "requestID": "3244c931-3892-4fca-9664-df38cdb3be54",
    "eventID": "0d5a1e82-95be-46b5-a430-91a407bd7b13",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "recipientAccountId": "<acc_num>"

The strange thing about this is, when I use the exact same IAM Role and CloudWatch Log Group but initiate the CloudTrail update via the console, it all works perfect and then exact same API request is captured by CloudTrail but is successful this time.

I'm not sure what the error could be and nothing I've researched has helped me find the right solution. Any help would be greatly appreciated.

asked 5 years ago744 views
2 Answers
Accepted Answer

It is possible that the IAM role was not propagated yet when you attempted to update the trail. Is the problem still occurring?

If so, I recommend that you double-check the role policy and trust relationships as the next step.

If the issue is not resolved, you could post the role policy and trust policy or you could open a case with AWS support to dive deeper.

answered 5 years ago
profile picture
reviewed a year ago

Thanks very much Jeff. We actually solved this a couple of hours after posting. The answer was as you first mentioned... the IAM Role had not propagated throughout the system quickly enough for me to assign it.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions