By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to give a user access only to a specific group of cloudwatch logs

0

Hello

I have created a user and I want to give him the permission to access only a specific group of cloudwatch logs. For this, I have assigned the following strategy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
	    "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:/ecs/copro*"
        }
    ]
}

When the user tries to access cloudwatch this is the error message he gets :

User: arn:aws:iam::<accountId>:user/poreck is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:<aws-region>:<accountId>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

I understand that the action logs:DescribeLogGroups is not applicable to a specific resource. Because if in the strategy I replace the value of the **Resource **field with "*", the user has access to all the log groups and I don't want that.

My question is to know if there is a way to bypass this blocking by modifying the strategy. Or if there is a simple external solution that consists in retrieving these specific log groups.

Thanks for any help

Sincerely

  • Dmitry Balabanov
    2 years ago

    Could you please elaborate how that particular user wants to access the logs? Via the AWS Management Console? Via AWS CLI? AWS SDK for a programming language?

Topics
Management & Governance
Tags
Log GroupsAmazon CloudWatch Logs
Language
English
aldiallo
asked 2 years ago3617 views
1 Answer
0

The ARN for CloudWatch Log Groups follows this pattern: arn:aws:logs:us-east-1:123456789012:log-group:/loggroupname:*

Note the last :*

That references each log stream. Please try modifying your policy as such:

{
    "Version": "2012-10-17",
    "Statement": [
        {
	    "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:<full-log-group-name>:*"
        }
    ]
}
AWS
AWS-Harrison
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content