By using AWS re:Post, you agree to the Terms of Use

How to give a user access only to a specific group of cloudwatch logs



I have created a user and I want to give him the permission to access only a specific group of cloudwatch logs. For this, I have assigned the following strategy:

    "Version": "2012-10-17",
    "Statement": [
	    "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:/ecs/copro*"

When the user tries to access cloudwatch this is the error message he gets :

User: arn:aws:iam::<accountId>:user/poreck is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:<aws-region>:<accountId>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

I understand that the action logs:DescribeLogGroups is not applicable to a specific resource. Because if in the strategy I replace the value of the **Resource **field with "*", the user has access to all the log groups and I don't want that.

My question is to know if there is a way to bypass this blocking by modifying the strategy. Or if there is a simple external solution that consists in retrieving these specific log groups.

Thanks for any help


  • Could you please elaborate how that particular user wants to access the logs? Via the AWS Management Console? Via AWS CLI? AWS SDK for a programming language?

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions