IAM Policy for reading CloudWatch Log Stream with logs:GetLogEvents - issue matching log groups with "/" in the name ?

Hello,

I understood that when you are unable to create a policy when you are using log-group-name which has "/" in its name. and getting error message as "This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition."

I replicated the same in my environment and was able to specify the log-group-name with "/" successfully in the policy using the visual editor like that of yours.

I was able to confirm that there is no error message being listed while creating the policy but the message you specified is just an additional warning message and not the error which IAM generates to ensure that you have included all actions which support particular resource in the policy. You can refer [1] for more information.

[1] Search for "This policy defines some actions, resources, or conditions that do not provide permissions." - https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_policies-polsum

Once after editing the policy through Visual Editor, if you navigate to the JSON view of your policy, you will find " Errors: 0 and Warnings: 0 ". This means that your policy is not throwing any errors. If your policy have any issues, you can switch to the JSON view of the policy and can check if there is any error message or warning listed.

You can find the format of "Resource types defined by Amazon CloudWatch Logs" in below documentation :

[2] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-resources-for-iam-policies

Also, you can refer below documentation [3] to get the supported resource for each action, by just scrolling to the fourth column of each action listed and the respective format for that resource is specified in above documentation [2] :

[3] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-actions-as-permissions

Even after passing the correct resource in the policy IAM throws this warning message. This is the known issue. You can simply ignore the warning message if you consider that the resource you specified according to the action is appropriate and continue to save the policy.

You stated that : When I come back, the Arn I just entered is now listed on "log-group" instead of "log-streams" !

During the replication, I also observed the same behaviour. But when you switch to the JSON format of the policy, you will find the same Arn mentioned in the resource section of your policy. So, it will not have any impact on the policy implementation and will be taken in the log-stream format only at the time of evaluation of the policy as the Arn is specified in the log-stream format [2].

The Arns with "/" in their log-group names are recognized as "log-group names" as well as "log-streams" as log group name will have "/" and when we specify log-streams Arn we use log-group name so automatically that will be included in the "log-streams" Arns as well.