Step 3: Add/validate IAM permissions for the cross-account destination - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Add/validate IAM permissions for the cross-account destination

According to Amazon cross-account policy evaluation logic, in order to access any cross-account resource (such as an Kinesis or Firehose stream used as a destination for a subscription filter) you must have an identity-based policy in the sending account which provides explicit access to the cross-account destination resource. For more information about policy evaluation logic, see Cross-account policy evaluation logic.

You can attach the identity-based policy to the IAM role or IAM user that you are using to create the subscription filter. This policy must be present in the sending account. If you are using the Administrator role to create the subscription filter, you can skip this step and move on to Step 4: Create a subscription filter.

To add or validate the IAM permissions needed for cross-account

  1. Enter the following command to check which IAM role or IAM user is being used to run Amazon logs commands.

    aws sts get-caller-identity

    The command returns output similar to the following:

    {
"UserId": "User ID",
"Account": "sending account id",
"Arn": "arn:aws:sending account id:role/user:RoleName/UserName"
}

    Make note of the value represented by RoleName or UserName.

  2. Sign into the Amazon Web Services Management Console in the sending account and search for the attached policies with the IAM role or IAM user returned in the output of the command you entered in step 1.

  3. Verify that the policies attached to this role or user provide explicit permissions to call logs:PutSubscriptionFilter on the cross-account destination resource. The following example policies show the recommended permissions.

    The following policy provides permissions to create a subscription filter on any destination resource only in a single Amazon account, account 123456789012:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow subscription filters on any resource in one specific account",
            "Effect": "Allow",
            "Action": "logs:PutSubscriptionFilter",
            "Resource": [
                "arn:aws:logs:*:*:log-group:*",
                "arn:aws:logs:*:123456789012:destination:*"
            ]
        }
    ]
}

    The following policy provides permissions to create a subscription filter only on a specific destination resource named sampleDestination in single Amazon account, account 123456789012:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow subscription filters on one specific resource in one specific account",
            "Effect": "Allow",
            "Action": "logs:PutSubscriptionFilter",
            "Resource": [
                "arn:aws:logs:*:*:log-group:*",
                "arn:aws:logs:*:123456789012:destination:sampleDestination"
            ]
        }
    ]
}