IAM role/policy restrictions

Question

Hi Team.
I'm working on cross accounts, so i have a lambda function which delete the log group which doesn't have any retention period to it.
I'm assuming the role from other aws account using sts_connection = boto3.client('sts') in my lambda code.
I need a restriction rule to this role to just pick up a single lambda function i.e my lambda and not by the other lambda functions.
As of now i have policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DeleteLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}
Lambda Basic execution:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
TRUST RELATIONSHIP:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::root",
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Kindly provide a solution to this as the plicy needs to be updated or conditions needs to be applied for the above policy, Thanks!

Answer

Unfortunately, as far as I can tell from the official documentation of the condition keys supported by the Cloudwatch Logs policy statement, it is not possible to specify such detailed conditions for log groups that do not have a Retention Period.

> Amazon CloudWatch Logs defines the following condition keys that can be used in the Condition element of an IAM policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys

https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table

If the Lambda log group you are creating is the only one with a specific prefix, you can specify it in the resource section as arn:aws:logs:us-east-1:*:log-group:${LogGroupPrefix}*, etc. to restrict it to some extent, though not completely.. If you want complete control, you will need to specify the full arn in the resource section.

Answer

To restrict the IAM role to only allow deletion of the specific Lambda function's log group, you can add a condition to the existing IAM policy. You can use the aws:ResourceTag condition to limit the DeleteLogGroup action to log groups that have a specific tag applied, and then apply that tag to the log group you want to allow deletion for.

Answer

Hi. Agree with Gupta.
In addition, policy will like this.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/Owner": "Hoge"
                }
            }
        }
    ]
}
```

IAM role/policy restrictions

相关内容