Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.Logs sent to CloudWatch Logs
User permissions
To enable sending logs to CloudWatch Logs, you must be signed in with the following
permissions.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:eusc-de-east-1:111122223333:delivery:*",
"arn:aws:logs:eusc-de-east-1:444455556666:delivery-source:*",
"arn:aws:logs:eusc-de-east-1:777788889999:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyCWL",
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:eusc-de-east-1:123456789012:*"
]
}
]
}
Log group resource policy
The log group where the logs are being sent must have a resource policy that
includes certain permissions. If the log group currently does not have a resource
policy, and the user setting up the logging has the
logs:PutResourcePolicy, logs:DescribeResourcePolicies,
and logs:DescribeLogGroups permissions for the log group, then AWS
automatically creates the following policy for it when you begin sending the logs to
CloudWatch Logs.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
The log group's resource policy limit is 51,200 bytes. Once this limit is reached,
AWS cannot add new permissions. This requires customers to manually modify the
policy to grant the delivery.logs.amazonaws.com service principal permissions
on the logs:CreateLogStream and logs:PutLogEvents actions. Customers
should use a log group name prefix with wildcards such as /aws/vendedlogs/*
and use this log group name for future Delivery creation.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}