AWS AmazonCloudWatch documentation change
Summary
Expanded IAM policy examples to clarify log-group vs log-stream ARN formats, added resource type explanations, and restructured examples with granular permissions
Security assessment
The change significantly improves security documentation by providing precise examples for least-privilege policies, distinguishing between log-group and log-stream level permissions. This helps prevent overly permissive policies but doesn't address any specific security vulnerability.
Diff
diff --git a/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md b/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md index a894e4190..691f68d63 100644 --- a//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md +++ b//AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.md @@ -58 +58,10 @@ This policy has one statement that grants permissions to create log groups and l -The wildcard character (*) at the end of the `Resource` value means that the statement allows permission for the `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`, and `logs:DescribeLogStreams` actions on any log group. To limit this permission to a specific log group, replace the wildcard character (*) in the resource ARN with the specific log group ARN. For more information about the sections within an IAM policy statement, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html) in _IAM User Guide_. For a list showing all of the CloudWatch Logs actions, see [CloudWatch Logs permissions reference](./permissions-reference-cwl.html). +The wildcard character (*) in the `Resource` value grants permission for the listed actions on any CloudWatch Logs resource. + + * **To limit permissions to specific log group actions** (e.g., `CreateLogGroup`, `DescribeLogStreams`), replace the wildcard with the log group ARN—`arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup`` + + * **To limit permissions to specific log stream actions** (e.g., `CreateLogStream`, `PutLogEvents`), replace the wildcard with the log stream ARN—`arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup`:*` (matches all streams) or `arn:aws:logs:`us-west-2`:`123456789012`:log-group:`MyLogGroup`:log-stream:`MyStream`` (specific stream) + + + + +See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires. @@ -285 +294 @@ In this section, you can find example user policies that grant permissions for v - * Example 3: Allow access to one log group + * Example 3: Allow access to one log group / log stream @@ -349 +358 @@ JSON -#### Example 3: Allow access to one log group +#### Example 3: Allow access to one log group / log stream @@ -351 +360 @@ JSON -The following policy allows a user to read and write log events in one specified log group. +CloudWatch Logs has two resource types with different ARN formats: @@ -353 +362 @@ The following policy allows a user to read and write log events in one specified -###### Important + * **Log group** : `arn:aws:logs:`region`:`account`:log-group:`LogGroupName`` @@ -355 +364 @@ The following policy allows a user to read and write log events in one specified -The `:*` at the end of the log group name in the `Resource` line is required to indicate that the policy applies to all log streams in this log group. If you omit `:*`, the policy will not be enforced. + * **Log stream** : `arn:aws:logs:`region`:`account`:log-group:`LogGroupName`:log-stream:`StreamName`` @@ -357 +365,0 @@ The `:*` at the end of the log group name in the `Resource` line is required to -JSON @@ -360 +367,0 @@ JSON -**** @@ -361,0 +369,24 @@ JSON +When writing IAM policies, the ARN format you use must match the resource type the API authorizes on. See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires. + +##### Example 3a: Allow access to log-group-level actions on a specific log group + + + { + "Version":"2012-10-17", + "Statement":[ + { + "Action": [ + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:PutSubscriptionFilter", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName" + } + ] + } + +These actions authorize on the `log-group` resource type. The standard ARN format (without `:*`) is supported. + +##### Example 3b: Allow access to log-stream-level actions on a specific log group @@ -370 +400,0 @@ JSON - "logs:DescribeLogStreams", @@ -379,0 +410,29 @@ JSON +These actions authorize on the `log-stream` resource type. The `:*` suffix is required to match all log streams within the log group, or specify a specific stream with `:log-stream:`StreamName``. + +##### Example 3c: Combined policy for both log-group and log-stream actions + + + { + "Version":"2012-10-17", + "Statement":[ + { + "Action": [ + "logs:DeleteLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogStreams", + "logs:FilterLogEvents" + ], + "Effect": "Allow", + "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName" + }, + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:GetLogEvents" + ], + "Effect": "Allow", + "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*" + } + ] + }