Identity and access management for Amazon CloudWatch Logs - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identity and access management for Amazon CloudWatch Logs

Access to Amazon CloudWatch Logs requires credentials that Amazon can use to authenticate your requests. Those credentials must have permissions to access Amazon resources, such as to retrieve CloudWatch Logs data about your cloud resources. The following sections provide details on how you can use Amazon Identity and Access Management (IAM) and CloudWatch Logs to help secure your resources by controlling who can access them:

Authentication

To provide access, add permissions to your users, groups, or roles:

Access control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access CloudWatch Logs resources. For example, you must have permissions to create log streams, create log groups, and so on.

The following sections describe how to manage permissions for CloudWatch Logs. We recommend that you read the overview first.