By using AWS re:Post, you agree to the Terms of Use
/Least-privilege Cloudwatch Logs policy for API Gateway/

Least-privilege Cloudwatch Logs policy for API Gateway

0

Hey!

I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console.

My current (anonymised) effort looks like this:

{
    "Statement": [
        {
            "Action": "logs:DescribeLogGroups",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "LogGroups"
        },
        {
            "Action": [
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:DescribeLogStreams",
                "logs:CreateLogStream"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*",
            "Sid": "LogStreams"
        }
    ],
    "Version": "2012-10-17"
}

When I try to set the cloudwatch log arn in the console, I get an error The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy.. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs.

The trust relationship is straightfoward

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Any ideas?

1 Answers
2
Accepted Answer

I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).

The following sample should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchAccess1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
        },
        {
            "Sid": "CloudWatchAccess2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
        }
    ]
}
answered 5 months ago
  • API Gateway uses the same CloudWatch logs IAM role across the region

    This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions