IAM resources requires region and account id?

0

I tried simplifying my IAM policy https://github.com/kaihendry/terraform-aws-canary/blob/main/iam.tf#L39 from

"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/cwsyn-*"

to

"arn:aws:logs:::log-group:/aws/lambda/cwsyn-*"

And now it doesn't work. Why?

profile picture
hendry
asked a year ago667 views
2 Answers
0
Accepted Answer

ARN of CloudWatch Log Group requires region code and account id in the path. If you do not want to specify region code/account name in the path, you should try like below.

"arn:aws:logs:*:*:log-group:/aws/lambda/cwsyn-*"

Paths can include a wildcard character, namely an asterisk (*). Please refer to below link.

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

profile pictureAWS
answered a year ago
0

Please refer to the details on the resources ARN : https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

arn:partition:service:region:account-id:resource-id arn:partition:service:region:account-id:resource-type/resource-id arn:partition:service:region:account-id:resource-type:resource-id

To look up the ARN format for a specific AWS resource, open the Service Authorization Reference, open the page for the service, and navigate to the resource types table.

Looks like for log group it is

arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}	

Note : You can specify IAM and AWS STS ARNs using the following syntax. The Region portion of the ARN is blank because IAM resources are global. Reference : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

arn:aws:iam::account:root  
arn:aws:iam::account:user/user-name-with-path
arn:aws:iam::account:group/group-name-with-path
arn:aws:iam::account:role/role-name-with-path
arn:aws:iam::account:policy/policy-name-with-path
arn:aws:iam::account:instance-profile/instance-profile-name-with-path
arn:aws:sts::account:federated-user/user-name
arn:aws:sts::account:assumed-role/role-name/role-session-name
arn:aws:iam::account:mfa/virtual-device-name-with-path
arn:aws:iam::account:u2f/u2f-token-id
arn:aws:iam::account:server-certificate/certificate-name-with-path
arn:aws:iam::account:saml-provider/provider-name
arn:aws:iam::account:oidc-provider/provider-name
profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions