IAM permissions required to create or work with a data protection policy - Amazon CloudWatch Logs
Permissions required for account-level data protection policiesPermissions required for data protection policies for a single log groupSample data protection policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM permissions required to create or work with a data protection policy

To be able to work with data protection policies for log groups, you must have certain permissions as shown in the following tables. The permissions are different for account-wide data protection policies and for data protection policies that apply to a single log group.

Permissions required for account-level data protection policies

Note

If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.

Operation IAM permission needed Resource

Create a data protection policy with no audit destinations

logs:PutAccountPolicy

*

logs:PutDataProtectionPolicy

*

Create a data protection policy with CloudWatch Logs as an audit destination

logs:PutAccountPolicy

*

logs:PutDataProtectionPolicy

*

logs:CreateLogDelivery

*

logs:PutResourcePolicy

*

logs:DescribeResourcePolicies

*

logs:DescribeLogGroups

*

Create a data protection policy with Firehose as an audit destination

logs:PutAccountPolicy

*

logs:PutDataProtectionPolicy

*

logs:CreateLogDelivery

*

firehose:TagDeliveryStream

arn:aws:logs:::deliverystream/YOUR_DELIVERY_STREAM

Create a data protection policy with Amazon S3 as an audit destination

logs:PutAccountPolicy

*

logs:PutDataProtectionPolicy

*

logs:CreateLogDelivery

*

s3:GetBucketPolicy

arn:aws:s3:::YOUR_BUCKET

s3:PutBucketPolicy

arn:aws:s3:::YOUR_BUCKET

Unmask masked log events in a specified log group

logs:Unmask

arn:aws:logs:::log-group:*

View an existing data protection policy

logs:GetDataProtectionPolicy

*

Delete a data protection policy

logs:DeleteAccountPolicy

*

logs:DeleteDataProtectionPolicy

*

If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the logs:PutDataProtectionPolicy and logs:CreateLogDelivery permissions.

Permissions required for data protection policies for a single log group

Note

If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.

Operation IAM permission needed Resource

Create a data protection policy with no audit destinations

logs:PutDataProtectionPolicy

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

Create a data protection policy with CloudWatch Logs as an audit destination

logs:PutDataProtectionPolicy

logs:CreateLogDelivery

logs:PutResourcePolicy

logs:DescribeResourcePolicies

logs:DescribeLogGroups

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

*

*

*

*

Create a data protection policy with Firehose as an audit destination

logs:PutDataProtectionPolicy

logs:CreateLogDelivery

firehose:TagDeliveryStream

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

*

arn:aws:logs:::deliverystream/YOUR_DELIVERY_STREAM

Create a data protection policy with Amazon S3 as an audit destination

logs:PutDataProtectionPolicy

logs:CreateLogDelivery

s3:GetBucketPolicy

s3:PutBucketPolicy

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

*

arn:aws:s3:::YOUR_BUCKET

arn:aws:s3:::YOUR_BUCKET

Unmask masked log events

logs:Unmask

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

View an existing data protection policy

logs:GetDataProtectionPolicy

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

Delete a data protection policy

logs:DeleteDataProtectionPolicy

arn:aws:logs:::log-group:YOUR_LOG_GROUP:*

If any data protection audit logs are already being sent to a destination, then other policies that send logs to the same destination only need the logs:PutDataProtectionPolicy and logs:CreateLogDelivery permissions.

Sample data protection policy

The following sample policy allows a user to create, view, and delete data protection policies that can sending audit findings to all three types of audit destinations. It does not permit the user to view unmasked data.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "YOUR_SID_1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:PutResourcePolicy",
                "logs:DescribeLogGroups",
                "logs:DescribeResourcePolicies"
            ],
            "Resource": "*"
        },
        {
            "Sid": "YOUR_SID_2",
            "Effect": "Allow",
            "Action": [
                "logs:GetDataProtectionPolicy",
                "logs:DeleteDataProtectionPolicy",
                "logs:PutDataProtectionPolicy",
                "s3:PutBucketPolicy",
                "firehose:TagDeliveryStream",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:firehose:::deliverystream/YOUR_DELIVERY_STREAM",
                "arn:aws:s3:::YOUR_BUCKET",
                "arn:aws:logs:::log-group:YOUR_LOG_GROUP:*"
            ]
        }
    ]
}