# Using identity-based policies (IAM policies) for CloudWatch Logs
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your CloudWatch Logs resources. For more information, see [Overview of managing access permissions to your CloudWatch Logs resources](iam-access-control-overview-cwl.md).
This topic covers the following:
+ [Permissions required to use the CloudWatch console](#console-permissions-cwl)
+ [Amazon managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl)
+ [Customer managed policy examples](#customer-managed-policies-cwl)
The following is an example of a permissions policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws-cn:logs:*:*:*"
]
}
]
}
```
------
This policy has one statement that grants permissions to create log groups and log streams, to upload log events to log streams, and to list details about log streams.
The wildcard character (\*) in the `Resource` value grants permission for the listed actions on any CloudWatch Logs resource.
+ **To limit permissions to specific log group actions** (e.g., `CreateLogGroup`, `DescribeLogStreams`), replace the wildcard with the log group ARN—`arn:aws:logs:{{us-west-2}}:{{123456789012}}:log-group:{{MyLogGroup}}`
+ **To limit permissions to specific log stream actions** (e.g., `CreateLogStream`, `PutLogEvents`), replace the wildcard with the log stream ARN—`arn:aws:logs:{{us-west-2}}:{{123456789012}}:log-group:{{MyLogGroup}}:*` (matches all streams) or `arn:aws:logs:{{us-west-2}}:{{123456789012}}:log-group:{{MyLogGroup}}:log-stream:{{MyStream}}` (specific stream)
See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires.
## Permissions required to use the CloudWatch console
For a user to work with CloudWatch Logs in the CloudWatch console, that user must have a minimum set of permissions that allows the user to describe other Amazon resources in their Amazon account. In order to use CloudWatch Logs in the CloudWatch console, you must have permissions from the following services:
+ CloudWatch
+ CloudWatch Logs
+ OpenSearch Service
+ IAM
+ Kinesis
+ Lambda
+ Amazon S3
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the CloudWatch console, also attach the `CloudWatchReadOnlyAccess` managed policy to the user, as described in [Amazon managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl).
You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the CloudWatch Logs API.
The full set of permissions required to work with the CloudWatch console for a user who is not using the console to manage log subscriptions are:
+ cloudwatch:GetMetricData
+ cloudwatch:ListMetrics
+ logs:CancelExportTask
+ logs:CreateExportTask
+ logs:CreateLogGroup
+ logs:CreateLogStream
+ logs:DeleteLogGroup
+ logs:DeleteLogStream
+ logs:DeleteMetricFilter
+ logs:DeleteQueryDefinition
+ logs:DeleteRetentionPolicy
+ logs:DeleteSubscriptionFilter
+ logs:DescribeExportTasks
+ logs:DescribeLogGroups
+ logs:DescribeLogStreams
+ logs:DescribeMetricFilters
+ logs:DescribeQueryDefinitions
+ logs:DescribeQueries
+ logs:DescribeSubscriptionFilters
+ logs:FilterLogEvents
+ logs:GetLogEvents
+ logs:GetLogGroupFields
+ logs:GetLogRecord
+ logs:GetQueryResults
+ logs:PutMetricFilter
+ logs:PutQueryDefinition
+ logs:PutRetentionPolicy
+ logs:StartQuery
+ logs:StopQuery
+ logs:PutSubscriptionFilter
+ logs:TestMetricFilter
For a user who will also be using the console to manage log subscriptions, the following permissions are also required:
+ es:DescribeElasticsearchDomain
+ es:ListDomainNames
+ iam:AttachRolePolicy
+ iam:CreateRole
+ iam:GetPolicy
+ iam:GetPolicyVersion
+ iam:GetRole
+ iam:ListAttachedRolePolicies
+ iam:ListRoles
+ kinesis:DescribeStreams
+ kinesis:ListStreams
+ lambda:AddPermission
+ lambda:CreateFunction
+ lambda:GetFunctionConfiguration
+ lambda:ListAliases
+ lambda:ListFunctions
+ lambda:ListVersionsByFunction
+ lambda:RemovePermission
+ s3:ListBuckets
## Amazon managed (predefined) policies for CloudWatch Logs
Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [Amazon Managed Policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
The following Amazon managed policies, which you can attach to users and roles in your account, are specific to CloudWatch Logs:
+ **CloudWatchLogsFullAccess** – Grants full access to CloudWatch Logs.
+ **CloudWatchLogsReadOnlyAccess** – Grants read-only access to CloudWatch Logs.
### CloudWatchLogsFullAccess
The **CloudWatchLogsFullAccess** policy grants full access to CloudWatch Logs. The policy includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchLogsFullAccess.html) in the *Amazon Managed Policy Reference Guide*.
### CloudWatchLogsReadOnlyAccess
The **CloudWatchLogsReadOnlyAccess** policy grants read-only access to CloudWatch Logs. It includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsReadOnlyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchLogsReadOnlyAccess.html) in the *Amazon Managed Policy Reference Guide*.
### CloudWatchOpenSearchDashboardsFullAccess
The **CloudWatchOpenSearchDashboardsFullAccess** policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create delete and manage vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).
To see the full contents of the policy, see [CloudWatchOpenSearchDashboardsFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardsFullAccess.html) in the *Amazon Managed Policy Reference Guide*.
### CloudWatchOpenSearchDashboardAccess
The **CloudWatchOpenSearchDashboardAccess** policy grants access to view vended logs dashboards that are created with Amazon OpenSearch Service analytics. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md).
**Important**
In addition to granting this policy, to enable a role or user to be able to view vended log dashboards, you must also specify them when you create the integration with OpenSearch Service. For more information, see [Step 1: Create the integration with OpenSearch Service](OpenSearch-Dashboards-Integrate.md).
To see the full contents of the policy, see [CloudWatchOpenSearchDashboardAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardAccess.html) in the *Amazon Managed Policy Reference Guide*.
#### CloudWatchLogsCrossAccountSharingConfiguration
The **CloudWatchLogsCrossAccountSharingConfiguration** policy grants access to create, manage, and view Observability Access Manager links for sharing CloudWatch Logs resources between accounts. For more information, see [ CloudWatch cross-account observability](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
To see the full contents of the policy, see [CloudWatchLogsCrossAccountSharingConfiguration](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchLogsCrossAccountSharingConfiguration.html) in the *Amazon Managed Policy Reference Guide*.
#### CloudWatchLogsAPIKeyAccess
The **CloudWatchLogsAPIKeyAccess** policy enables CloudWatch Logs API key authentication and encrypted log ingestion. This policy grants permissions to authenticate using bearer tokens and write log events to CloudWatch Logs, with additional Amazon KMS permissions for decrypting and generating data keys when logs are encrypted.
This policy grants the following permissions:
+ `logs` – Allows principals to authenticate via API key bearer tokens and write log events to CloudWatch Logs streams.
+ `kms` – Allows principals to read Amazon KMS key metadata, generate data keys for encryption, and decrypt data. These permissions support encrypted CloudWatch Logs by allowing the service to encrypt log data using customer-managed Amazon KMS keys. Access is restricted to operations called through the CloudWatch Logs service.
To view more details about the policy, including the latest version of the JSON policy document, see [CloudWatchLogsAPIKeyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) in the *Amazon Managed Policy Reference Guide*.
### CloudWatch Logs updates to Amazon managed policies
View details about updates to Amazon managed policies for CloudWatch Logs since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Logs Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [CloudWatchLogsAPIKeyAccess](#managed-policies-cwl-CloudWatchLogsAPIKeyAccess) – New policy. | CloudWatch Logs added a new managed policy **CloudWatchLogsAPIKeyAccess**.
This policy enables CloudWatch Logs API key authentication and encrypted log ingestion, granting permissions to authenticate using bearer tokens and write log events to CloudWatch Logs. | February 17, 2026 |
| [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**.
Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations. | December 02, 2025 |
| [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**.
Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations. | December 02, 2025 |
| [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**.
Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results. | May 20, 2025 |
| [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**.
Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results. | May 20, 2025 |
| [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**.
Permissions for Amazon OpenSearch Service and IAM were added, to enable CloudWatch Logs integration with OpenSearch Service for some features. | December 1, 2024 |
| [CloudWatchOpenSearchDashboardsFullAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardsFullAccess) – New IAM policy. | CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardsFullAccess**.- This policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create, manage, and delete vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). | December 1, 2024 |
| [CloudWatchOpenSearchDashboardAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess) – New IAM policy. | CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardAccess**.- This policy grants access to view vended logs dashboards powered by Amazon OpenSearch Service. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). | December 1, 2024 |
| [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added a permission to **CloudWatchLogsFullAccess**.
The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. | November 27, 2023 |
| [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch added a permission to **CloudWatchLogsReadOnlyAccess**.
The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. | November 27, 2023 |
| [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**.
The `logs:StartLiveTail` and `logs:StopLiveTail` permissions were added so that users with this policy can use the console to start and stop CloudWatch Logs live tail sessions. For more information, see [ Use live tail to view logs in near real time](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html). | June 6, 2023 |
| [CloudWatchLogsCrossAccountSharingConfiguration](#managed-policies-cwl-CloudWatchLogsCrossAccountSharingConfiguration) – New policy | CloudWatch Logs added a new policy to enable you to manage CloudWatch cross-account observability links that share CloudWatch Logs log groups.
For more information, see [ CloudWatch cross-account observability](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html) | November 27, 2022 |
| [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**.
The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. | November 27, 2022 |
### Customer managed policy examples
You can create your own custom IAM policies to allow permissions for CloudWatch Logs actions and resources. You can attach these custom policies to the users or groups that require those permissions.
In this section, you can find example user policies that grant permissions for various CloudWatch Logs actions. These policies work when you are using the CloudWatch Logs API, Amazon SDKs, or the Amazon CLI.
**Topics**
+ [Example 1: Allow full access to CloudWatch Logs](#w2aac61c15c15c27c19b9)
+ [Example 2: Allow read-only access to CloudWatch Logs](#w2aac61c15c15c27c19c11)
+ [Example 3: Allow access to one log group / log stream](#w2aac61c15c15c27c19c13)
#### Example 1: Allow full access to CloudWatch Logs
The following policy allows a user to access all CloudWatch Logs actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
#### Example 2: Allow read-only access to CloudWatch Logs
Amazon provides a **CloudWatchLogsReadOnlyAccess** policy that enables read-only access to CloudWatch Logs data. This policy includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:Describe*",
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"logs:StartLiveTail",
"logs:StopLiveTail",
"cloudwatch:GenerateQuery"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
#### Example 3: Allow access to one log group / log stream
CloudWatch Logs has two resource types with different ARN formats:
+ **Log group**: `arn:aws:logs:{{region}}:{{account}}:log-group:{{LogGroupName}}`
+ **Log stream**: `arn:aws:logs:{{region}}:{{account}}:log-group:{{LogGroupName}}:log-stream:{{StreamName}}`
When writing IAM policies, the ARN format you use must match the resource type the API authorizes on. See the [service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) for which resource type each API requires.
##### Example 3a: Allow access to log-group-level actions on a specific log group
```
{
"Version":"2012-10-17",
"Statement":[
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:PutSubscriptionFilter",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName"
}
]
}
```
These actions authorize on the `log-group` resource type. The standard ARN format (without `:*`) is supported.
##### Example 3b: Allow access to log-stream-level actions on a specific log group
```
{
"Version":"2012-10-17",
"Statement":[
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
}
]
}
```
These actions authorize on the `log-stream` resource type. The `:*` suffix is required to match all log streams within the log group, or specify a specific stream with `:log-stream:{{StreamName}}`.
##### Example 3c: Combined policy for both log-group and log-stream actions
```
{
"Version":"2012-10-17",
"Statement":[
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogStreams",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*"
}
]
}
```
### Use tagging and IAM policies for control at the log group level
You can grant users access to certain log groups while preventing them from accessing other log groups. To do so, tag your log groups and use IAM policies that refer to those tags. To apply tags to a log group, you need to have either the `logs:TagResource` or `logs:TagLogGroup` permission. This applies both if you are assigning tags to the log group when you create it. or assigning them later.
For more information about tagging log groups, see [Tag log groups in Amazon CloudWatch Logs](Working-with-log-groups-and-streams.md#log-group-tagging).
When you tag log groups, you can then grant an IAM policy to a user to allow access to only the log groups with a particular tag. For example, the following policy statement grants access to only log groups with the value of `Green` for the tag key `Team`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Team": "Green"
}
}
}
]
}
```
------
The **StopQuery** and **StopLiveTail** API operations don't interact with Amazon resources in the traditional sense. They don't return any data, put any data, or modify a resource in any way. Instead, they operate only on a given live tail session or a given CloudWatch Logs Insights query, which are not categorized as resources. As a result, when you specify the `Resource` field in IAM policies for these operations, you must set the value of the `Resource` field as `*`, as in the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":
[ {
"Effect": "Allow",
"Action": [
"logs:StopQuery",
"logs:StopLiveTail"
],
"Resource": "*"
}
]
}
```
------
For more information about using IAM policy statements, see [Controlling Access Using Policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_controlling.html) in the *IAM User Guide*.