The logs:GetQueryResults permission is missing, but I am using root account

Question

We started having this problem recently, this was working. I am using root account, I am administrator and owner of account. When I try to see SMS delivery logs on Amazon SNS service I get this error message:

The logs:GetQueryResults permission is missing.
To enhance security for CloudWatch Logs Insights queries, beginning on July 31, 2025 users must be signed on with both the logs:StartQuery and logs:GetQueryResults permissions to be able to view query results in the CloudWatch console.

Again, this was working for years and stopped recently. Manuals and AWS AI are saying that I need to add few logs:query... permissions, but this is not subaccount, this is admin account. I tried adding them explicitly to user accounts, but I still have the same error message (I added CloudWatchReadOnlyAccess and CloudWatchFullAccess as advised). Any idea what might be the problem ?

Kidd Ip · Answer

These are some changes from AWS that related to your case:

- Before July 31, 2025: Root accounts and users with CloudWatch access could run queries without needing explicit logs:GetQueryResults.
- After July 31, 2025: AWS tightened security. Now both permissions are mandatory for all identities, including the root account.

https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetQueryResults.html

https://docs.aws.amazon.com/cli/latest/reference/athena/get-query-results.html

https://repost.aws/questions/QULInT7WNvRYafkTh1hi8SdQ/limit-access-to-cloudwatch-logs-insights-query-results

The logs:GetQueryResults permission is missing, but I am using root account

Add your answer

Relevant content