IAM permissions required to create or work with a data protection policy
To be able to work with data protection policies for log groups, you must have certain permissions as shown in the following tables. The permissions are different for account-wide data protection policies and for data protection policies that apply to a single log group.
Permissions required for account-level data protection policies
Note
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
Operation | IAM permission needed | Resource |
---|---|---|
Create a data protection policy with no audit destinations |
|
|
|
|
|
Create a data protection policy with CloudWatch Logs as an audit destination |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
Create a data protection policy with Firehose as an audit destination |
|
|
|
| |
|
| |
|
| |
Create a data protection policy with Amazon S3 as an audit destination |
|
|
|
| |
|
| |
|
| |
|
| |
Unmask masked log events in a specified log group |
|
|
View an existing data protection policy |
|
|
Delete a data protection policy |
|
|
|
|
If any data protection audit logs are already being sent to a destination, then other policies that
send logs to the same destination only need the logs:PutDataProtectionPolicy
and logs:CreateLogDelivery
permissions.
Permissions required for data protection policies for a single log group
Note
If you are performing any of these operations inside a Lambda function, the Lambda execution role and permissions boundary must also include the following permissions.
Operation | IAM permission needed | Resource |
---|---|---|
Create a data protection policy with no audit destinations |
|
|
Create a data protection policy with CloudWatch Logs as an audit destination |
|
|
Create a data protection policy with Firehose as an audit destination |
|
|
Create a data protection policy with Amazon S3 as an audit destination |
|
|
Unmask masked log events |
|
|
View an existing data protection policy |
|
|
Delete a data protection policy |
|
|
If any data protection audit logs are already being sent to a destination, then other policies that
send logs to the same destination only need the logs:PutDataProtectionPolicy
and logs:CreateLogDelivery
permissions.
Sample data protection policy
The following sample policy allows a user to create, view, and delete data protection policies that can sending audit findings to all three types of audit destinations. It does not permit the user to view unmasked data.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "YOUR_SID_1", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:PutResourcePolicy", "logs:DescribeLogGroups", "logs:DescribeResourcePolicies" ], "Resource": "*" }, { "Sid": "YOUR_SID_2", "Effect": "Allow", "Action": [ "logs:GetDataProtectionPolicy", "logs:DeleteDataProtectionPolicy", "logs:PutDataProtectionPolicy", "s3:PutBucketPolicy", "firehose:TagDeliveryStream", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:firehose:::deliverystream/
YOUR_DELIVERY_STREAM
", "arn:aws:s3:::YOUR_BUCKET
", "arn:aws:logs:::log-group:YOUR_LOG_GROUP
:*" ] } ] }