1 Answer
- Newest
- Most votes
- Most comments
0
The ARN for CloudWatch Log Groups follows this pattern:
arn:aws:logs:us-east-1:123456789012:log-group:/loggroupname:*
Note the last :*
That references each log stream. Please try modifying your policy as such:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents"
],
"Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:<full-log-group-name>:*"
}
]
}
answered a year ago
Relevant content
- Accepted Answerasked 2 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 17 days ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
Could you please elaborate how that particular user wants to access the logs? Via the AWS Management Console? Via AWS CLI? AWS SDK for a programming language?