By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Limit access to CloudWatch Logs Insights query results

0

Hey guys,

I created an IAM Identity Center permission set and group. The permission set attached to the group only allows the users inside the group to view CloudWatch logs generated by a specific account (our Crypto account), the statement looks like this:

Note: The statement with the ID "DescribeCryptoTrail" limits the user to only view logs from our Crypto account.

"Statement":{        
 "Sid": "DescribeCryptoTrail",         
 "Action": "logs:GetLogEvents",         
 "Effect": "Allow",         
 "Resource": [             
    "arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
    ]
}

This works well since the user gets a permission denied error when he tries to view logs from a different account, but now my concern is how do I limit access to the queries the users can return in CloudWatch Logs Insights? For example, the users in the Crypto-Access group should only be able to return queries that were generated by the Crypto account.

So far, I have tried using statements such as:

{
"Sid": "AdditionalPermissions",         
        "Action": 
         [             
            "logs:FilterLogEvents"
         ],         
        "Effect": "Allow",         
        "Resource": 
        [             
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"         
        ]     
},     
{         
"Sid": "AdditionalPermissionsTwo",         
        "Action": 
         [             
           "logs:DescribeQueryDefinitions"         
         ],         
         "Effect": "Allow",         
         "Resource": 
         [             
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"         
         ]     
}

This is a similar approach as to what worked for granting access to the CloudWatch logs, but this time it seems I need to grant access to the entire log group judging from the error:

not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:* because no identity-based policy allows the logs:FilterLogEvents action

This indicates that I need to provide access to the main log group, I can't limit it to a specific path in the log group.

Is there any other way I can force query results based on the IAM policy, or maybe a way I can require a user to include a filter in the query such as filter recipientAccountId = "CRYPTO-ACCOUNT-ID"

Thanks in advance

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAmazon CloudWatchCloudWatch Logs InsightsIAM PoliciesAmazon CloudWatch Logs
Language
English
rePost-User-3116486
asked a year ago1413 views
1 Answer
0

Hello,

As per the AWS Doc on Actions, resources, and condition keys for Amazon CloudWatch Logs, the APIs - FilterLogEvents only supports log-group* Resource types.

Note - log-group resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}

However, as evident from the policy above, you are trying to restrict FilterLogEvents API with a log stream resource type instead -> arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*.

Note - log-stream resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}

Additionally note that the "Run Query" button calls "FilterLogEvents" action in the back end. Hence, you can only restrict it to a specific log group.

Similarly, DescribeQueryDefinitions API currently doesn't support any Resource ARN restriction as evident from above AWS Doc as well. Remember if there is no value for this column (Resource types), you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. Hence, you can't restrict it with a log group or log stream resource type. It's basically an all or nothing List API operation which you can't restrict at the given time.

*Also, please note that these two IAM actions/Cloudwatch Logs APIs currently do not support any condition keys either.

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content