IAM role/policy restrictions

0

Hi Team. I'm working on cross accounts, so i have a lambda function which delete the log group which doesn't have any retention period to it. I'm assuming the role from other aws account using sts_connection = boto3.client('sts') in my lambda code. I need a restriction rule to this role to just pick up a single lambda function i.e my lambda and not by the other lambda functions. As of now i have policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:::" ] } ] } Lambda Basic execution: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "" } ] } TRUST RELATIONSHIP: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Acc_id>:root", "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } Kindly provide a solution to this as the plicy needs to be updated or conditions needs to be applied for the above policy, Thanks!

3 Answers
0

Hi. Agree with Gupta. In addition, policy will like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/Owner": "Hoge"
                }
            }
        }
    ]
}
profile picture
EXPERT
answered 8 months ago
  • The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that

  • The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that

    This is not just for a lambda log group but for all log groups

  • Hi. Check another answer I posted.

0

To restrict the IAM role to only allow deletion of the specific Lambda function's log group, you can add a condition to the existing IAM policy. You can use the aws:ResourceTag condition to limit the DeleteLogGroup action to log groups that have a specific tag applied, and then apply that tag to the log group you want to allow deletion for.

answered 8 months ago
profile picture
EXPERT
reviewed 8 months ago
0

Unfortunately, as far as I can tell from the official documentation of the condition keys supported by the Cloudwatch Logs policy statement, it is not possible to specify such detailed conditions for log groups that do not have a Retention Period.

Amazon CloudWatch Logs defines the following condition keys that can be used in the Condition element of an IAM policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys

https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table

If the Lambda log group you are creating is the only one with a specific prefix, you can specify it in the resource section as arn:aws:logs:us-east-1::log-group:${LogGroupPrefix}, etc. to restrict it to some extent, though not completely.. If you want complete control, you will need to specify the full arn in the resource section.

profile picture
EXPERT
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions