IAM policy editor warnings: Specify log-group resource ARN for the actions

1

When using IAM visual policy editor, it does not seem to care much whether selected (CloudWatch Logs) actions match the level of the specified ARN resources. Although the syntax is correct, it would subsequently complain about warnings for certain policy statements.

Specify log-group resource ARN for the GetLogGroupFields and 6 more actions.

One or more actions may not support this resource.

Specify log-stream resource ARN for the PutLogEvents and 1 more action.

Even if I follow the action listing specifications https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-actions-as-permissions

and re-group the actions into statements according to their resource scopes (i.e. log-group; log-stream), the warnings still appear, seemingly because the resource ARNs specified still don't tie in to their supposed levels?

{
    "Version": "2012-10-17",
    "Statement": [
		{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogRecord",
				"logs:GetQueryResults",
                "logs:StopQuery",
                "logs:TestMetricFilter"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
				"logs:CreateLogStream",
				"logs:DescribeLogGroups",
				"logs:DescribeLogStreams",
				"logs:FilterLogEvents",
				"logs:GetLogGroupFields",
				"logs:ListTagsLogGroup",
				"logs:StartQuery"
			],
            "Resource": [
                "arn:aws:logs:REGION:ACCOUNT:log-group:App/all-logs/dev:*",
				"arn:aws:logs:REGION:ACCOUNT:log-group:App/error-logs/dev:*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
				"logs:GetLogEvents",
				"logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:REGION:ACCOUNT:log-group:App/all-logs/dev:log-stream:*",
				"arn:aws:logs:REGION:ACCOUNT:log-group:App/error-logs/dev:log-stream:*"
            ]
        }
    ]
}

I am particularly confused by the ARN formatting. When I look at a CloudWatch log group direct properties, its specified ARN is arn:aws:logs:REGION:ACCOUNT:log-group:App/all-logs/dev:* but shouldn't it be arn:aws:logs:REGION:ACCOUNT:log-group:App/all-logs/dev since it's not its children resources we're targetting? Regardless, even if I try that alternative format the same warning is present.

What am I missing for the statements?

2 Answers
0

Well it appears the :* suffix is necessary. Or at least for some actions. Yesterday a user reported he couldn't access the log groups' streams on AWS web console.

User: arn:aws:iam::ACCOUNT:user/USERNAME is not authorized to perform: logs:DescribeLogStreams on resource: arn:aws:logs:REGION:ACCOUNT:log-group:App/error-logs/dev:log-stream:

Applying :* lets him navigate to the streams.

icelava
answered 3 years ago
  • Hi IceLava, I was only using the '?' to show the matching of the log-group ARN to end in "orange", not "orange*". Apologies if I communicated it as a recommendation for helping in this use case.

    Using the '*' in IAM Policy matches against anything as a wildcard, not a literal match with the asterisk. You can test logs:DescribeLogStreams action as I did using the following policy to constrain the action to a log streams in a single group. It will match without the asterisk.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DescribeLogStreams",
                "Effect": "Allow",
                "Action": "logs:DescribeLogStreams",
                "Resource": "arn:aws:logs:us-east-2:111122223333:log-group:<group-name>:log-stream:"
            }
        ]
    }
    
  • Hi mattcarter, as per my supplementary comment, the :* suffix is required for the policy statement to apply to all log streams in the log group, otherwise my developers couldn't list/describe them in the web console.

    arn:aws:logs:us-east-2:111122223333:log-group:<group-name>:log-stream:*

0

Hi IceLava, The logs API does return the asterisk on the end of the resource ARN for log-groups. For IAM policies, however, you should match as if the ARN didn't have the asterisk at the end of the resource ARN. For example, the following policy would match a log group named 'orange':

        {
            "Sid": "OrangeLogGroup",
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "arn:aws:logs:REGION:ACCOUNT:log-group:orang?"
        }

The '?' only matches one character and matches with the 'e' in the name. If the wildcard were part of the ARN, this policy wouldn't match. The Service Description File validates this:

"ARN": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}"

I agree that the Visual Editor in IAM seems to struggling with this resource type. You may have to rely on the JSON editor while we get this addressed.

Thanks for pointing this inconsistency out.

answered 3 years ago
  • Hi mattcarter, i am not sure how a single-char ? placeholder will prove useful in practical real-world scenarios. If an app uses a collection of log groups, it's extremely unlikely all log group names are of the same exact length.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions