Using condition keys to limit Contributor Insights users' access to log groups
To create a rule in Contributor Insights and see its results, a user must have the
cloudwatch:PutInsightRule
permission. By default, a user with this permission can create a Contributor Insights
rule that evaluates any log group in CloudWatch Logs and then see the results. The results can
contain contributor data for those log groups.
You can create IAM policies with condition keys to grant users the permission to write Contributor Insights rules for some log groups while preventing them from writing rules for and seeing this data from other log groups.
For more information about the Condition
element in IAM policies,
see IAM JSON policy elements: Condition.
Allow access to write rules and view results for only certain log groups
The following policy allows the user access to write rules and view results
for the log group named AllowedLogGroup
and all log groups
that have names that start with AllowedWildCard
. It does
not grant access to write rules or view rule results for any other log groups.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCertainLogGroups", "Effect": "Allow", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*", "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudwatch:requestInsightRuleLogGroups": [ "AllowedLogGroup", "AllowedWildcard*" ] } } } ] }
Deny writing rules for specific log groups but allow writing rules for all other log groups
The following policy explicitly denies the user access to write rules and view rule results
for the log group named ExplicitlyDeniedLogGroup
, but allows writing rules
and viewing rule results for all other log groups.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowInsightRulesOnLogGroupsByDefault", "Effect": "Allow", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*" }, { "Sid": "ExplicitDenySomeLogGroups", "Effect": "Deny", "Action": "cloudwatch:PutInsightRule", "Resource": "arn:aws:cloudwatch:*:*:insight-rule/*", "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudwatch:requestInsightRuleLogGroups": [ "/test/alpine/ExplicitlyDeniedLogGroup" ] } } } ] }