- Newest
- Most votes
- Most comments
Hello,
As per the AWS Doc on Actions, resources, and condition keys for Amazon CloudWatch Logs, the APIs - FilterLogEvents
only supports log-group*
Resource types.
Note - log-group
resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}
However, as evident from the policy above, you are trying to restrict FilterLogEvents
API with a log stream resource type instead -> arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*
.
Note - log-stream
resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}
Additionally note that the "Run Query" button calls "FilterLogEvents" action in the back end. Hence, you can only restrict it to a specific log group.
Similarly, DescribeQueryDefinitions
API currently doesn't support any Resource ARN restriction as evident from above AWS Doc as well. Remember if there is no value for this column (Resource types), you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. Hence, you can't restrict it with a log group or log stream resource type. It's basically an all or nothing List API operation which you can't restrict at the given time.
*Also, please note that these two IAM actions/Cloudwatch Logs APIs currently do not support any condition keys either.
Relevant content
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago