Restrict CloudWatch Logs

Question

Hi there. We have an IAM user called mlops1. We would like mlops1 to be able to use the AWS console to view logs in CloudWatch, but only a certain log group. This is what the allowed actions look like in our IAM policy (note that the Account ID has been redacted):

{
	"Effect": "Allow",
	"Action": [
		"cloudwatch:Describe*",
		"cloudwatch:Get*",
		"cloudwatch:List*",
		"logs:Get*",
		"logs:List*",
		"logs:StartQuery",
		"logs:StopQuery",
		"logs:Describe*",
		"logs:TestMetricFilter",
		"logs:FilterLogEvents"
	],
	"Resource": "arn:aws:logs:us-east-1::log-group:/aws/sagemaker/TrainingJobs:log-stream:*"
}

As you can see, we would like mlops1 to be able to access only the "/aws/sagemaker/TrainingJobs" log group. However, the user receives the following error message (again, Account ID has been redacted):

Error: User: arn:aws:iam:::user/mlops1 is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:us-east-1::log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action

This error message is not true since the policy contains "logs:Describe*". We found that when we open up to all resources (i.e. *), then mlops1 can access the desired logs in CloudWatch. However, this user can also access any other logs, which is not what we want. How can we limit the user's access to just the "/aws/sagemaker/TrainingJobs" log group? Is there some additional syntax required?

Thank you in advance for your help!

Answer

It looks like the console is trying to describe all log groups but you have restricted the Describe* actions to a specific log group.  In most cases, AWS Console will describe all resources and this is required for Console to function.  Add an additional statement in to your policy to allow Console to describe all the log groups.

Example Policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:Get*",
                "logs:List*",
                "logs:Describe*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*"
            ],
            "Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group:/aws/sagemaker/TrainingJobs:log-stream:*"
        },
        {
            "Sid": "DescribeLogGroups",
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group::log-stream:"
        }
    ]
}
```

Above policy won't allow the user to access any logs streams for unwanted log groups. It will only allow AWS Console to list all log groups.  The user will be allowed to access only the log streams for /aws/sagemaker/TrainingJobs log group.

Answer

Hi Renjith. Thank you very much for your answer. This worked for us! One other question. Is it possible to restrict down to a specific log stream within that log group? Essentially what happens is, mlops1 has a training job in SageMaker Studio and accesses the CloudWatch log for that training job by clicking on that option in SageMaker Studio (which then diverts mlops1 to that log stream in the AWS console). From there, mlops1 can access the log stream but then can also go up a level to access all log streams within that log group. Hopefully that makes sense. Looking forward to hearing your thoughts on that! Thanks again.

Restrict CloudWatch Logs

Relevant content