- Newest
- Most votes
- Most comments
Can they see the logs or can they see contents the log streams?
The key policy looks correct. You will be relying on IAM polices to allow users to use the Kms keys.
Review what Kms keys are allowed by iam permissions already assigned to users. Also review the cloud watch log groups are using KMS.
While IAM does not directly support conditions based on the KMS key for log viewing actions, you can use resource tags and condition keys in IAM policies to approximate this. For example, tag your KMS key and log groups with specific attributes and use those in IAM policy conditions.
Here's an example IAM policy that incorporates tag-based conditions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewEncryptedLogs", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/Project": "ProjectX", "aws:ResourceTag/Project": "ProjectX" } } }, { "Sid": "DecryptWithSpecificKMSKey", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "StringEquals": { "kms:RequestTag/Project": "ProjectX", "kms:ViaService": "logs.region.amazonaws.com" } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
Have exactly the same problem. Created a user for testing with RO permissions
Looks like providing decrypt permission to
"Service": "logs.REGION.amazonaws.com"
```r
will allow everyone with RO access to see logs.
I've tried to revoke that permission from service and failed to grasp why the entire logs disappeared.
Relevant content
- Accepted Answerasked 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
To be clear, this is a user who has only the "ReadOnlyAccess" policy associated and no explicit access to the key(The key policy is the one above).
This user can see the log group(correctly encrypted by the KMS), the log streams of that group, and the log events themselves.
The expected result would be: no access to the logs because it does not have access to the decrypt key.
Everything should work based on your information and description of how everything is setup. All I can suggest is double check everything. Log group using the expected Kms key, user has no other policies attached directly or by group member ship, Kms key is correct policy.