logs: Support Resource policies
See original GitHub issueReproduction Steps
const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
retention: logs.RetentionDays.THREE_MONTHS,
});
cloudWatchLogGroup.grantWrite(new iam.ServicePrincipal('es.amazonaws.com')).assertSuccess();
Also fails with the resource policy that I need.
const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
retention: logs.RetentionDays.THREE_MONTHS,
});
cloudWatchLogGroup
.grant(
new iam.ServicePrincipal('es.amazonaws.com'),
'logs:PutLogEvents',
'logs:PutLogEventsBatch',
'logs:CreateLogStream'
)
.assertSuccess();
Error Log
Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:CreateLogStream,logs:PutLogEvents' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.
Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:PutLogEvents,logs:PutLogEventsBatch,logs:CreateLogStream' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.
Environment
- CLI Version :1.18.0
- Framework Version:1.18.0
- OS :macOS
- Language :TypeScript
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:26 (23 by maintainers)
Top Results From Across the Web
Amazon CloudWatch Logs - AWS Documentation
CloudWatch Logs supports identity-based policies, and resource-based policies for destinations, which are used to enable cross account subscriptions.
Read more >CloudWatch Logs Resource Policies - Endgame
CloudWatch Resource Policies allow other AWS services or IAM Principals to put log events into the account. Steps to Reproduce; Exploitation; Remediation ...
Read more >How to define Resource Policy for CloudWatch Logs with ...
I just got back a response from AWS support. They indicated this is already a feature request but provided no ETA. As a...
Read more >put-resource-policy — AWS CLI 2.9.6 Command Reference
Creates or updates a resource policy allowing other Amazon Web Services services to put log events to this account, such as Amazon Route...
Read more >IAM audit logging | IAM Documentation - Google Cloud
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
In case others run into this, I used the
AwsCustomResource
construct to help accomplish our goal here.Here’s some code to hopefully help out if folks need to use this workaround in the meantime. Please note that this code is very specific to our use-case, so you’ll almost undoubtedly need to modify it to work for you.
Yeah make sense depending on how you synth.