Actions, resources, and condition keys for Amazon CloudWatch Logs
Amazon CloudWatch Logs (service prefix: logs) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon CloudWatch Logs
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AssociateKmsKey |
Write |
|||
|
AssociateSourceToS3TableIntegration |
Write |
|||
|
CancelExportTask |
Write |
|||
|
CancelImportTask |
Write |
|||
|
CreateDelivery |
Write |
|||
Tagging, Write |
||||
|
CreateExportTask |
Write |
|||
|
CreateImportTask |
Write |
|||
iam:PassedToService |
cloudtrail.amazonaws.com, logs.amazonaws.com |
Write |
||
|
CreateLogAnomalyDetector |
Write |
|||
Tagging, Write |
||||
|
CreateLogGroup |
Write |
|||
Tagging, Write |
||||
Tagging, Write |
||||
|
CreateLogStream |
Write |
|||
|
CreateLookupTable |
Write |
|||
Tagging, Write |
||||
|
CreateScheduledQuery |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
logs.amazonaws.com |
Write |
||
|
DeleteAccountPolicy |
Write |
|||
Write |
||||
Write |
||||
Write |
||||
Write |
||||
Write |
||||
|
DeleteDataProtectionPolicy |
Write |
|||
|
DeleteDelivery |
Write |
|||
|
DeleteDeliveryDestination |
Write |
|||
|
DeleteDeliveryDestinationPolicy |
Write |
|||
|
DeleteDeliverySource |
Write |
|||
|
DeleteDestination |
Write |
|||
|
DeleteIndexPolicy |
Write |
|||
|
DeleteIntegration |
Write |
|||
|
DeleteLogAnomalyDetector |
Write |
|||
|
DeleteLogGroup |
Write |
|||
|
DeleteLogStream |
Write |
|||
|
DeleteLookupTable |
Write |
|||
|
DeleteMetricFilter |
Write |
|||
|
DeleteQueryDefinition |
Write |
|||
|
DeleteResourcePolicy |
Permissions management, Write |
|||
|
DeleteRetentionPolicy |
Write |
|||
|
DeleteScheduledQuery |
Write |
|||
|
DeleteSubscriptionFilter |
Write |
|||
|
DeleteSyslogConfiguration |
Write |
|||
|
DeleteTransformer |
Write |
|||
|
DescribeAccountPolicies |
List |
|||
|
DescribeConfigurationTemplates |
List |
|||
|
DescribeDeliveries |
List |
|||
|
DescribeDeliveryDestinations |
List |
|||
|
DescribeDeliverySources |
List |
|||
|
DescribeDestinations |
List |
|||
|
DescribeExportTasks |
List |
|||
|
DescribeFieldIndexes |
List |
|||
|
DescribeImportTaskBatches |
List |
|||
|
DescribeImportTasks |
List |
|||
|
DescribeIndexPolicies |
List |
|||
|
DescribeLogGroups |
List |
|||
|
DescribeLogStreams |
List |
|||
|
DescribeLookupTables |
List |
|||
|
DescribeMetricFilters |
List |
|||
|
DescribeQueries |
List |
|||
Read |
||||
|
DescribeQueryDefinitions |
List |
|||
|
DescribeResourcePolicies |
List |
|||
|
DescribeSubscriptionFilters |
List |
|||
|
DisassociateKmsKey |
Write |
|||
|
DisassociateSourceFromS3TableIntegration |
Write |
|||
|
FilterLogEvents |
Read |
|||
Read |
||||
|
GetDataProtectionPolicy |
Read |
|||
|
GetDelivery |
Read |
|||
|
GetDeliveryDestination |
Read |
|||
|
GetDeliveryDestinationPolicy |
Read |
|||
|
GetDeliverySource |
Read |
|||
|
GetIntegration |
Read |
|||
|
GetLogAnomalyDetector |
Read |
|||
|
GetLogEvents |
Read |
|||
Read |
||||
|
GetLogFields |
Read |
|||
|
GetLogGroupFields |
Read |
|||
Read |
||||
|
GetLogRecord |
Read |
|||
Read |
||||
Read |
||||
|
GetLookupTable |
Read |
|||
|
GetQueryResults |
Read |
|||
Read |
||||
Read |
||||
|
GetScheduledQuery |
Read |
|||
|
GetScheduledQueryHistory |
Read |
|||
|
GetStorageTierPolicy |
Read |
|||
|
GetTransformer |
Read |
|||
|
ListAggregateLogGroupSummaries |
List |
|||
|
ListAnomalies |
List |
|||
|
ListIntegrations |
List |
|||
|
ListLogAnomalyDetectors |
List |
|||
|
ListLogGroups |
List |
|||
List |
||||
|
ListLogGroupsForQuery |
List |
|||
|
ListScheduledQueries |
List |
|||
|
ListSourcesForS3TableIntegration |
List |
|||
|
ListSyslogConfigurations |
List |
|||
|
ListTagsForResource |
List |
|||
|
ListTagsLogGroup |
List |
|||
|
PutAccountPolicy |
Write |
|||
Write |
||||
Write |
||||
Write |
||||
Write |
||||
Write |
||||
iam:PassedToService |
logs.amazonaws.com |
Write |
||
|
PutBearerTokenAuthentication |
Write |
|||
|
PutDataProtectionPolicy |
Write |
|||
|
PutDeliveryDestination |
Write |
|||
Tagging, Write |
||||
|
PutDeliveryDestinationPolicy |
Write |
|||
|
PutDeliverySource |
Write |
|||
Tagging, Write |
||||
|
PutDestination |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
logs.amazonaws.com |
Write |
||
|
PutDestinationPolicy |
Write |
|||
|
PutIndexPolicy |
Write |
|||
|
PutIntegration |
Write |
|||
|
PutLogEvents |
Write |
|||
|
PutLogGroupDeletionProtection |
Write |
|||
|
PutMetricFilter |
Write |
|||
|
PutQueryDefinition |
Write |
|||
|
PutResourcePolicy |
Permissions management, Write |
|||
|
PutRetentionPolicy |
Write |
|||
|
PutStorageTierPolicy |
Write |
|||
|
PutSubscriptionFilter |
Write |
|||
iam:PassedToService |
logs.amazonaws.com |
Write |
||
|
PutSyslogConfiguration |
Write |
|||
|
PutTransformer |
Write |
|||
|
StartQuery |
List |
|||
List |
||||
Read |
||||
Read |
||||
Read |
||||
|
StopQuery |
Read |
|||
Read |
||||
|
TagLogGroup |
Tagging, Write |
|||
|
TagResource |
Tagging, Write |
|||
|
TestMetricFilter |
Read |
|||
|
TestTransformer |
Read |
|||
|
UntagLogGroup |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateAnomaly |
Write |
|||
|
UpdateDeliveryConfiguration |
Write |
|||
|
UpdateLogAnomalyDetector |
Write |
|||
|
UpdateLookupTable |
Write |
|||
|
UpdateScheduledQuery |
Write |
|||
iam:PassedToService |
logs.amazonaws.com |
Write |
Actions defined by Amazon CloudWatch Logs
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to associate the specified Amazon Key Management Service (Amazon KMS) customer master key (CMK) with the specified log group |
Write |
|||
Grants permission to associate a log source to an S3 Tables integration |
Write |
|||
Grants permission to cancel an export task if it is in PENDING or RUNNING state |
Write |
|||
Grants permission to cancel an import from CloudTrail Lake to CloudWatch |
Write |
|||
Grants permission to create a delivery connecting a delivery source to a delivery destination |
Write |
|||
Grants permission to create an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket |
Write |
|||
Grants permission to start an asynchronous process to import data from a CloudTrail Lake event data store into a managed log group in CloudWatch |
Write |
|||
Grants permission to create a log anomaly detector |
Write |
|||
Grants permission to create a new log group with the specified name |
Write |
|||
Grants permission to create a new log stream with the specified name |
Write |
|||
Grants permission to create a lookup table |
Write |
|||
Grants permission to create a scheduled query |
Write |
|||
Grants permission to delete an account policy |
Write |
|||
Grants permission to delete a data protection policy attached to a log group |
Write |
|||
Grants permission to delete a delivery |
Write |
|||
Grants permission to delete a delivery destination after all associated deliveries are deleted |
Write |
|||
Grants permission to delete a delivery destination policy associated with a delivery destination |
Write |
|||
Grants permission to delete a delivery source after all associated deliveries are deleted |
Write |
|||
Grants permission to delete the destination with the specified name |
Write |
|||
Grants permission to delete an index policy attached to a log group |
Write |
|||
Grants permission to delete the integration |
Write |
|||
Grants permission to delete a log anomaly detector |
Write |
|||
Grants permission to delete the log group with the specified name |
Write |
|||
Grants permission to delete a log stream |
Write |
|||
Grants permission to delete a lookup table |
Write |
|||
Grants permission to delete a metric filter associated with the specified log group |
Write |
|||
Grants permission to delete a saved CloudWatch Logs Insights query definition |
Write |
|||
Grants permission to delete a resource policy from this account |
Permissions management, Write |
|||
Grants permission to delete the retention policy of the specified log group |
Write |
|||
Grants permission to delete a scheduled query |
Write |
|||
Grants permission to delete a subscription filter associated with the specified log group |
Write |
|||
Grants permission to delete syslog configuration for the specified log group |
Write |
|||
Grants permission to delete a transformer associated with the specified log group |
Write |
|||
Grants permission to retrieve account policies |
List |
|||
Grants permission to retrieve a list of configuration templates of available log types |
List |
|||
Grants permission to retrieve a list of deliveries an account |
List |
|||
Grants permission to retrieve a list of delivery destinations an account |
List |
|||
Grants permission to retrieve a list of delivery sources in an account |
List |
|||
Grants permission to return all the destinations that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the export tasks that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the indexing attributes that are attached with the log groups |
List |
|||
Grants permission to return detailed information about the individual batches within an import task, including status and any error |
List |
|||
Grants permission to return all the import tasks associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the index policies that are attached with the log groups |
List |
|||
Grants permission to return all the log groups that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the log streams that are associated with the specified log group |
List |
|||
Grants permission to return all lookup tables |
List |
|||
Grants permission to return all the metrics filters associated with the specified log group |
List |
|||
Grants permission to return a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account |
List |
|||
Grants permission to return a paginated list of your saved CloudWatch Logs Insights query definitions |
List |
|||
Grants permission to return all the resource policies in this account |
List |
|||
Grants permission to return all the subscription filters associated with the specified log group |
List |
|||
Grants permission to disassociate the associated Amazon Key Management Service (Amazon KMS) customer master key (CMK) from the specified log group |
Write |
|||
Grants permission to disassociate a log source from an S3 Tables integration |
Write |
|||
Grants permission to retrieve log events, optionally filtered by a filter pattern from the specified log group |
Read |
|||
Grants permission to retrieve a data protection policy attached to a log group |
Read |
|||
Grants permission to retrieve a single delivery |
Read |
|||
Grants permission to retrieve a single delivery destination |
Read |
|||
Grants permission to retrieve a delivery destination policy attached to a delivery destination |
Read |
|||
Grants permission to retrieve a single delivery source |
Read |
|||
Grants permission to retrieve a single integration |
Read |
|||
Grants permission to get a log anomaly detector |
Read |
|||
Grants permission to retrieve log events from the specified log stream |
Read |
|||
Grants permission to retrieve a list of log fields for a data source |
Read |
|||
Grants permission to return a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field |
Read |
|||
Grants permission to retrieve all the fields and values of a single log event |
Read |
|||
Grants permission to retrieve a lookup table |
Read |
|||
Grants permission to return the results from the specified query |
Read |
|||
Grants permission to retrieve information about a specified scheduled query |
Read |
|||
Grants permission to return the execution history for a specified scheduled query |
Read |
|||
Grants permission to retrieve the storage tier policy for the account |
Read |
|||
Grants permission to return transformer associated with the specified log group |
Read |
|||
Grants permission to return an aggregate summary of all log groups in the region grouped by specified data-source characteristics |
List |
|||
Grants permission to list all anomalies detected in the Amazon Web Services account making the request |
List |
|||
Grants permission to list all integrations associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the anomaly detectors that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the log groups that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all the log groups that are associated with the specified query |
List |
|||
Grants permission to return all scheduled queries that are associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to return all log sources associated with an S3 Tables integration |
List |
|||
Grants permission to return all syslog configurations associated with the Amazon Web Services account making the request |
List |
|||
Grants permission to list the tags for the specified resource |
List |
|||
Grants permission to list the tags for the specified log group |
List |
|||
Grants permission to attach an account policy |
Write |
|||
Grants permission to enable or disable bearer token based authentication for the specified log group |
Write |
|||
Grants permission to attach a data protection policy to detect and redact sensitive information from log events |
Write |
|||
Grants permission to create/update a delivery destination |
Write |
|||
Grants permission to attach a delivery destination policy to a delivery destination |
Write |
|||
Grants permission to create/update a delivery source |
Write |
|||
Grants permission to create or update a Destination |
Write |
|||
Grants permission to create or update an access policy associated with an existing Destination |
Write |
|||
Grants permission to attach an index policy at log group level to optimize search and query |
Write |
|||
Grants permission to create integration between cloudwatch logs and opensearch |
Write |
|||
Grants permission to upload a batch of log events to the specified log stream |
Write |
|||
Grants permission to enable or disable deletion protection for the specified log group |
Write |
|||
Grants permission to create or update a metric filter and associates it with the specified log group |
Write |
|||
Grants permission to create or update a query definition |
Write |
|||
Grants permission to create or update a resource policy allowing other Amazon services to put log events to this account |
Permissions management, Write |
|||
Grants permission to set the retention of the specified log group |
Write |
|||
Grants permission to set the storage tier policy for the account |
Write |
|||
Grants permission to create or update a subscription filter and associates it with the specified log group |
Write |
|||
Grants permission to add syslog configuration for the specified log group |
Write |
|||
Grants permission to create or update a transformer and associates it with the specified log group |
Write |
|||
Grants permission to start a Live Tail session in CloudWatch Logs |
Read |
|||
Grants permission to schedule a query of a log group using CloudWatch Logs Insights |
Read |
|||
Grants permission to stop a CloudWatch Logs Insights query that is in progress |
Read |
|||
Grants permission to add or update the specified tags for the specified log group |
Tagging, Write |
|||
Grants permission to add or update the specified tags for the specified resource |
Tagging, Write |
|||
Grants permission to test the filter pattern of a metric filter against a sample of log event messages |
Read |
|||
Grants permission to test the transformer against a sample of log event messages |
Read |
|||
Grants permission to remove the specified tags from the specified log group |
Tagging, Write |
|||
Grants permission to remove the specified tags from the specified resource |
Tagging, Write |
|||
Grants permission to update an anomaly reported by a log anomaly detector |
Write |
|||
Grants permission to update configuration related to a delivery |
Write |
|||
Grants permission to update a log anomaly detector |
Write |
|||
Grants permission to update a lookup table |
Write |
|||
Grants permission to update a scheduled query |
Write |
Permission-only actions for Amazon CloudWatch Logs
The following actions are defined by Amazon CloudWatch Logs but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to authenticate requests using bearer token |
Write |
|||
Grants permission to create the log delivery |
Write |
|||
Grants permission to delete the log delivery information for specified log delivery |
Write |
|||
Grants permission to delete telemetry pipeline |
Write |
|||
Grants permission to get the log delivery information for specified log delivery |
Read |
|||
Grants permission to deliver log events to S3 Tables |
Write |
|||
Grants permission to share CloudWatch resources with a monitoring account |
Write |
|||
Grants permission to retrieve all the entities that are associated with log group |
List |
|||
Grants permission to list all the log deliveries for specified account and/or log source |
List |
|||
Grants permission to retrieve all the log groups that are associated with entity |
List |
|||
Grants permission to process and transform log events through pipeline transformers before storage |
Write |
|||
Grants permission to create telemetry pipeline |
Write |
|||
Grants permission to stop a Live Tail session that is in progress |
Read |
|||
Grants permission to fetch unmasked log events that have been redacted with a data protection policy |
Read |
|||
Grants permission to update the log delivery information for specified log delivery |
Write |
Resource types defined by Amazon CloudWatch Logs
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:logs:${Region}:${Account}:anomaly-detector:${DetectorId} |
||
arn:${Partition}:logs:${Region}:${Account}:delivery:${DeliveryName} |
||
arn:${Partition}:logs:${Region}:${Account}:delivery-destination:${DeliveryDestinationName} |
||
arn:${Partition}:logs:${Region}:${Account}:delivery-source:${DeliverySourceName} |
||
arn:${Partition}:logs:${Region}:${Account}:destination:${DestinationName} |
||
arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName} |
||
arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName} |
||
arn:${Partition}:logs:${Region}:${Account}:lookup-table:${LookupTableName} |
||
arn:${Partition}:logs:${Region}:${Account}:scheduled-query:${ScheduledQueryId} |
Condition keys for Amazon CloudWatch Logs
Amazon CloudWatch Logs defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by the Log Destination ARN passed in the request |
ARN |
|
Filters access by the Log Generating Resource ARNs passed in the request |
ArrayOfARN |
|
Filters access by the data source name passed in the request |
String |
|
Filters access by the data source type passed in the request |
String |