- 最新
- 最多得票
- 最多評論
Hello,
As per the AWS Doc on Actions, resources, and condition keys for Amazon CloudWatch Logs, the APIs - FilterLogEvents
only supports log-group*
Resource types.
Note - log-group
resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}
However, as evident from the policy above, you are trying to restrict FilterLogEvents
API with a log stream resource type instead -> arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*
.
Note - log-stream
resource ARN -> arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}
Additionally note that the "Run Query" button calls "FilterLogEvents" action in the back end. Hence, you can only restrict it to a specific log group.
Similarly, DescribeQueryDefinitions
API currently doesn't support any Resource ARN restriction as evident from above AWS Doc as well. Remember if there is no value for this column (Resource types), you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. Hence, you can't restrict it with a log group or log stream resource type. It's basically an all or nothing List API operation which you can't restrict at the given time.
*Also, please note that these two IAM actions/Cloudwatch Logs APIs currently do not support any condition keys either.
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前