By using AWS re:Post, you agree to the Terms of Use

How to give a user access only to a specific group of cloudwatch logs

0

Hello

I have created a user and I want to give him the permission to access only a specific group of cloudwatch logs. For this, I have assigned the following strategy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
	    "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:/ecs/copro*"
        }
    ]
}

When the user tries to access cloudwatch this is the error message he gets :

User: arn:aws:iam::<accountId>:user/poreck is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:<aws-region>:<accountId>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

I understand that the action logs:DescribeLogGroups is not applicable to a specific resource. Because if in the strategy I replace the value of the **Resource **field with "*", the user has access to all the log groups and I don't want that.

My question is to know if there is a way to bypass this blocking by modifying the strategy. Or if there is a simple external solution that consists in retrieving these specific log groups.

Thanks for any help

Sincerely

  • Could you please elaborate how that particular user wants to access the logs? Via the AWS Management Console? Via AWS CLI? AWS SDK for a programming language?

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions