Least-privilege Cloudwatch Logs policy for API Gateway
Hey!
I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console.
My current (anonymised) effort looks like this:
{
"Statement": [
{
"Action": "logs:DescribeLogGroups",
"Effect": "Allow",
"Resource": "*",
"Sid": "LogGroups"
},
{
"Action": [
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogStream"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*",
"Sid": "LogStreams"
}
],
"Version": "2012-10-17"
}
When I try to set the cloudwatch log arn in the console, I get an error The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy.. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs.
The trust relationship is straightfoward
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Any ideas?
I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).
The following sample should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchAccess1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
},
{
"Sid": "CloudWatchAccess2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
}
]
}
Relevant questions
Greengrass LogManager not pushing logs to cloudwatch
asked 4 months agoWill Route 53-with-Failover Based on CloudWatch Work With A Private API-Gateway REST-API?
asked 6 months agoLeast-privilege Cloudwatch Logs policy for API Gateway
Accepted Answerasked 5 months agoAPI Gateway not forwarding all access logs to Cloudwatch
asked 2 years agoIAM error trying to POST to a connection in API Gateway
asked 3 years agoEnabling cloudwatch slowlogs and engine logs for elasticache redis cluster
asked 22 days agoLoRaWAN gateway logs
asked a year agoIAM role not clear for connecting API Gateway and DynamoDB
Accepted Answerasked 2 years agoIs there something happening with API Gateway access logs?
asked 7 months agoHow IP addresses get logged when using Lambda and API Gateway
Accepted Answerasked 4 years ago
This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.