Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Allowing Amazon Aurora to Access Amazon CloudWatch Logs Resources

Aurora can access CloudWatch Logs to export audit log data from an Aurora DB cluster. However, you must first create an IAM policy that provides the log group and log stream permissions that allow Aurora to access CloudWatch Logs.

The following policy adds the permissions required by Aurora to access Amazon CloudWatch Logs on your behalf, and the minimum required permissions to create log groups and export data.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/rds/*" ] }, { "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*" ] } ] }

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access CloudWatch Logs on your behalf. To allow Aurora full access to CloudWatch Logs, you can skip these steps and use the CloudWatchLogsFullAccess predefined IAM policy instead of creating your own. For more information, see Using Identity-Based Policies (IAM Policies) for CloudWatch Logs.

To create an IAM policy to grant access to your CloudWatch Logs resources

  1. Open the IAM Console.

  2. In the navigation pane, choose Policies.

  3. Choose Create Policy.

  4. For Policy Generator, choose Select.

  5. In Edit Permissions, set the following values to grant CloudWatch Logs log group permissions:

    • EffectAllow

    • AWS ServiceAmazon CloudWatch Logs

    • Actionslogs:CreateLogGroup, logs:PutRetentionPolicy

    • Amazon Resource Name (ARN)arn:aws:logs:*:*:log-group:/aws/rds/*

  6. Choose Add Statement.

  7. In Edit Permissions, set the following values to grant CloudWatch Logs log stream permissions:

    • EffectAllow

    • AWS ServiceAmazon CloudWatch Logs

    • Actionslogs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:GetLogEvents

    • Amazon Resource Name (ARN)arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*

  8. Choose Add Statement.

  9. Choose Next Step.

  10. Set Policy Name to a name for your IAM policy, for example AmazonRDSCloudWatchLogs. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional Description value.

  11. Choose Create Policy.