- Newest
- Most votes
- Most comments
Hi. Agree with Gupta. In addition, policy will like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DeleteLogGroup",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Owner": "Hoge"
}
}
}
]
}
To restrict the IAM role to only allow deletion of the specific Lambda function's log group, you can add a condition to the existing IAM policy. You can use the aws:ResourceTag condition to limit the DeleteLogGroup action to log groups that have a specific tag applied, and then apply that tag to the log group you want to allow deletion for.
Unfortunately, as far as I can tell from the official documentation of the condition keys supported by the Cloudwatch Logs policy statement, it is not possible to specify such detailed conditions for log groups that do not have a Retention Period.
Amazon CloudWatch Logs defines the following condition keys that can be used in the Condition element of an IAM policy
If the Lambda log group you are creating is the only one with a specific prefix, you can specify it in the resource section as arn:aws:logs:us-east-1::log-group:${LogGroupPrefix}, etc. to restrict it to some extent, though not completely.. If you want complete control, you will need to specify the full arn in the resource section.
Relevant content
- asked 10 months ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that
The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that
This is not just for a lambda log group but for all log groups
Hi. Check another answer I posted.