AWS CloudFormation
User Guide (Version )

AWS::Logs::Destination

The AWS::Logs::Destination resource specifies a CloudWatch Logs destination. A destination encapsulates a physical resource (such as an Amazon Kinesis data stream) and enables you to subscribe that resource to a stream of log events.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Logs::Destination", "Properties" : { "DestinationName" : String, "DestinationPolicy" : String, "RoleArn" : String, "TargetArn" : String } }

YAML

Type: AWS::Logs::Destination Properties: DestinationName: String DestinationPolicy: String RoleArn: String TargetArn: String

Properties

DestinationName

The name of the destination.

Required: Yes

Type: String

Minimum: 1

Maximum: 512

Pattern: [^:*]*

Update requires: Replacement

DestinationPolicy

An IAM policy document that governs which AWS accounts can create subscription filters against this destination.

Required: Yes

Type: String

Minimum: 1

Update requires: No interruption

RoleArn

The ARN of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource.

Required: Yes

Type: String

Minimum: 1

Update requires: No interruption

TargetArn

The Amazon Resource Name (ARN) of the physical target to where the log events are delivered (for example, a Kinesis stream).

Required: Yes

Type: String

Minimum: 1

Update requires: No interruption

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name, such as TestDestination.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The ARN of the CloudWatch Logs destination, such as arn:aws:logs:us-west-1:123456789012:destination:MyDestination.

Examples

Create a Destination

In the following example, the target stream (TestStream) can receive log events from the logger IAM user that is in the account 234567890123. The user can call only the PutSubscriptionFilter action against the TestDestination destination.

JSON

"DestinationWithName" : { "Type" : "AWS::Logs::Destination", "Properties" : { "DestinationName": "TestDestination", "RoleArn": "arn:aws:iam::123456789012:role/LogKinesisRole", "TargetArn": "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream", "DestinationPolicy": "{\"Version\" : \"2012-10-17\",\"Statement\" : [{\"Effect\" : \"Allow\", \"Principal\" : {\"AWS\" : \"arn:aws:iam::234567890123:user/logger\"}, \"Action\" : \"logs:PutSubscriptionFilter\", \"Resource\" : \"arn:aws:logs:us-east-1:123456789012:destination:TestDestination\"}]}" } }

YAML

DestinationWithName: Type: AWS::Logs::Destination Properties: DestinationName: "TestDestination" RoleArn: "arn:aws:iam::123456789012:role/LogKinesisRole" TargetArn: "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream" DestinationPolicy: > {"Version" : "2012-10-17","Statement" : [{"Effect" : "Allow", "Principal" : {"AWS" : "arn:aws:iam::234567890123:user/logger"},"Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:us-east-1:123456789012:destination:TestDestination"}]}