IAM Policy for reading CloudWatch Log Stream with logs:GetLogEvents - issue matching log groups with "/" in the name ?

0

Dear all,

I'm trying to create a policy (via terraform) to allow reading of all log-stream from a log group, using the web console.

I can't manage to create a policy for a log-group that has a "/" in its name.

Using the visual editor, for instance, if I try to restrict to : wrong

I always get the error This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining. Learn more next page.

When I come back, the ARN I just entered is now listed on "log-group" instead of "log-streams" !

However I do :

correct

This works, although this log group doesn't really exist. And it is indeed recognized as a log-stream, not a log-group.

Am I crazy for thinking that arns with "/" in their log-group names are always recognized as log-group names instead of log-streams? Or am I missing something very obvious here and defining my policy somehow stupidly ?

1 Answer
1

Hello,

I understood that when you are unable to create a policy when you are using log-group-name which has "/" in its name. and getting error message as "This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition."

I replicated the same in my environment and was able to specify the log-group-name with "/" successfully in the policy using the visual editor like that of yours.

I was able to confirm that there is no error message being listed while creating the policy but the message you specified is just an additional warning message and not the error which IAM generates to ensure that you have included all actions which support particular resource in the policy. You can refer [1] for more information.

[1] Search for "This policy defines some actions, resources, or conditions that do not provide permissions." - https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_policies-polsum

Once after editing the policy through Visual Editor, if you navigate to the JSON view of your policy, you will find " Errors: 0 and Warnings: 0 ". This means that your policy is not throwing any errors. If your policy have any issues, you can switch to the JSON view of the policy and can check if there is any error message or warning listed.

You can find the format of "Resource types defined by Amazon CloudWatch Logs" in below documentation :

[2] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-resources-for-iam-policies

Also, you can refer below documentation [3] to get the supported resource for each action, by just scrolling to the fourth column of each action listed and the respective format for that resource is specified in above documentation [2] :

[3] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-actions-as-permissions

Even after passing the correct resource in the policy IAM throws this warning message. This is the known issue. You can simply ignore the warning message if you consider that the resource you specified according to the action is appropriate and continue to save the policy.

You stated that : When I come back, the Arn I just entered is now listed on "log-group" instead of "log-streams" !

During the replication, I also observed the same behaviour. But when you switch to the JSON format of the policy, you will find the same Arn mentioned in the resource section of your policy. So, it will not have any impact on the policy implementation and will be taken in the log-stream format only at the time of evaluation of the policy as the Arn is specified in the log-stream format [2].

The Arns with "/" in their log-group names are recognized as "log-group names" as well as "log-streams" as log group name will have "/" and when we specify log-streams Arn we use log-group name so automatically that will be included in the "log-streams" Arns as well.

AWS
answered 24 days ago
  • Dear Sakshi Thank you for your answer. Indeed I did not test very well, as I just confirmed now that even though the warning message "This policy defines some actions, resources, or conditions that do not provide permissions" when I defined a log group with a "/" in the name, the policy still actually works when I try to use it.

    Thank you for your help !

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions