Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Logs sent to CloudWatch Logs
User permissions
To enable sending logs to CloudWatch Logs, you must be signed in with the following
permissions.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws-cn:logs:us-east-1:111122223333:delivery:*",
"arn:aws-cn:logs:us-east-1:444455556666:delivery-source:*",
"arn:aws-cn:logs:us-east-1:777788889999:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyCWL",
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws-cn:logs:us-east-1:123456789012:*"
]
}
]
}
Log group resource policy
The log group where the logs are being sent must have a resource policy that
includes certain permissions. If the log group currently does not have a resource
policy, and the user setting up the logging has the
logs:PutResourcePolicy, logs:DescribeResourcePolicies,
and logs:DescribeLogGroups permissions for the log group, then Amazon
automatically creates the following policy for it when you begin sending the logs to
CloudWatch Logs. For newly created subscriptions, resource policies are configured at
the log group level and have a maximum size of 51,200 bytes. If an existing
account-level resource policy already grants permissions through wildcards,
a separate log group level policy would not be created. To check the logGroup-level
resource policy for a specific log group, use the
describe-resource-policies command with the
--resource-arn parameter set to the log group ARN and the
--policy-scope parameter set
to RESOURCE.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws-cn:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws-cn:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
The log group's resource policy limit is 51,200 bytes. Once this limit is reached,
AWS cannot add new permissions. This requires customers to manually modify the
policy to grant the delivery.logs.amazonaws.com service principal permissions
on the logs:CreateLogStream and logs:PutLogEvents actions. Customers
should use a log group name prefix with wildcards such as /aws/vendedlogs/*
and use this log group name for future Delivery creation.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws-cn:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws-cn:logs:us-east-1:111122223333:*"
]
}
}
}
]
}