Menu
Amazon CloudWatch Logs
User Guide

CloudWatch Logs Permissions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each CloudWatch Logs API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your CloudWatch Logs policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the logs: prefix followed by the API operation name. For example: logs:CreateLogGroup, logs:CreateLogStream, or logs:* (for all CloudWatch Logs actions).

CloudWatch Logs API Operations and Required Permissions for Actions

CloudWatch Logs API OperationsRequired Permissions (API Actions)

CancelExportTask

logs:CancelExportTask

Required to cancel a pending or running export task.

CreateExportTask

logs:CreateExportTask

Required to export data from a log group to an Amazon S3 bucket.

CreateLogGroup

logs:CreateLogGroup

Required to create a new log group.

CreateLogStream

logs:CreateLogStream

Required to create a new log stream in a log group.

DeleteDestination

logs:DeleteDestination

Required to delete a log destination and disables any subscription filters to it.

DeleteLogGroup

logs:DeleteLogGroup

Required to delete a log group and any associated archived log events.

DeleteLogStream

logs:DeleteLogStream

Required to delete a log stream and any associated archived log events.

DeleteMetricFilter

logs:DeleteMetricFilter

Required to delete a metric filter associated with a log group.

DeleteRetentionPolicy

logs:DeleteRetentionPolicy

Required to delete a log group's retention policy.

DeleteSubscriptionFilter

logs:DeleteSubscriptionFilter

Required to delete the subscription filter associated with a log group.

DescribeDestinations

logs:DescribeDestinations

Required to view all destinations associated with the account.

DescribeExportTasks

logs:DescribeExportTasks

Required to view all export tasks associated with the account.

DescribeLogGroups

logs:DescribeLogGroups

Required to view all log groups associated with the account.

DescribeLogStreams

logs:DescribeLogStreams

Required to view all log streams associated with a log group.

DescribeMetricFilters

logs:DescribeMetricFilters

Required to view all metrics associated with a log group.

DescribeSubscriptionFilters

logs:DescribeSubscriptionFilters

Required to view all subscription filters associated with a log group.

FilterLogEvents

logs:FilterLogEvents

Required to sort log events by log group filter pattern.

GetLogEvents

logs:GetLogEvents

Required to retrieve log events from a log stream.

PutDestination

logs:PutDestination

Required to create or update a destination log stream (such as an Amazon Kinesis stream).

PutDestinationPolicy

logs:PutDestinationPolicy

Required to create or update an access policy associated with an existing log destination.

PutLogEvents

logs:PutLogEvents

Required to upload a batch of log events to a log stream.

PutMetricFilter

logs:PutMetricFilter

Required to create or update a metric filter and associate it with a log group.

PutRetentionPolicy

logs:PutRetentionPolicy

Required to set the number of days to keep log events (retention) in a log group.

PutSubscriptionFilter

logs:PutSubscriptionFilter

Required to create or update a subscription filter and associate it with a log group.

TestMetricFilter

logs:TestMetricFilter

Required to test a filter pattern against a sampling of log event messages.