By using AWS re:Post, you agree to the Terms of Use

Restrict CloudWatch Logs


Hi there. We have an IAM user called mlops1. We would like mlops1 to be able to use the AWS console to view logs in CloudWatch, but only a certain log group. This is what the allowed actions look like in our IAM policy (note that the Account ID has been redacted):

{ "Effect": "Allow", "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:us-east-1:<account_id>:log-group:/aws/sagemaker/TrainingJobs:log-stream:*" }

As you can see, we would like mlops1 to be able to access only the "/aws/sagemaker/TrainingJobs" log group. However, the user receives the following error message (again, Account ID has been redacted):

Error: User: arn:aws:iam::<account_id>:user/mlops1 is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:us-east-1:<account_id>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

This error message is not true since the policy contains "logs:Describe*". We found that when we open up to all resources (i.e. *), then mlops1 can access the desired logs in CloudWatch. However, this user can also access any other logs, which is not what we want. How can we limit the user's access to just the "/aws/sagemaker/TrainingJobs" log group? Is there some additional syntax required?

Thank you in advance for your help!

2 Answers

It looks like the console is trying to describe all log groups but you have restricted the Describe* actions to a specific log group. In most cases, AWS Console will describe all resources and this is required for Console to function. Add an additional statement in to your policy to allow Console to describe all the log groups.

Example Policy:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group:/aws/sagemaker/TrainingJobs:log-stream:*"
            "Sid": "DescribeLogGroups",
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group::log-stream:"

Above policy won't allow the user to access any logs streams for unwanted log groups. It will only allow AWS Console to list all log groups. The user will be allowed to access only the log streams for /aws/sagemaker/TrainingJobs log group.

answered 2 months ago

Hi Renjith. Thank you very much for your answer. This worked for us! One other question. Is it possible to restrict down to a specific log stream within that log group? Essentially what happens is, mlops1 has a training job in SageMaker Studio and accesses the CloudWatch log for that training job by clicking on that option in SageMaker Studio (which then diverts mlops1 to that log stream in the AWS console). From there, mlops1 can access the log stream but then can also go up a level to access all log streams within that log group. Hopefully that makes sense. Looking forward to hearing your thoughts on that! Thanks again.

answered a month ago
  • Hello Renjith. Hope you are doing well. Just wanted to follow up on the possibility of restricting access to log streams with the log group. Do you know if that is possible? So far, we have not figured out a way of successfully doing this. Thank you very much.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions