1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
If I set the following IAM policy to the EC2 IAM role, will I be able to output?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
]
}
]
}
Resource-based policies define who is allowed to perform which actions, so wouldn't it be necessary to allow the ARN of the EC2 IAM role in "Principal"?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:role/ec2-role-name"
},
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:ap-northeast-1:0123456789:log-group:session-manager:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
}
}
}
]
}
Relevant content
- Accepted Answerasked 2 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
Hi,
Yes, you will be able to output the logs if you attach that policy to the EC2 IAM role. However, in my case, I am trying to output session manager logs by enabling logging from SSM directly, without using an IAM policy.
I assume the policy you are referring to is an IAM policy and not a CloudWatch Logs resource policy.