Actions, resources, and condition keys for Amazon CloudWatch Logs
Amazon CloudWatch Logs (service prefix: logs) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon CloudWatch Logs
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateKmsKey | Associates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group. | Write | |||
| CancelExportTask | Cancels an export task if it is in PENDING or RUNNING state | Write | |||
| CreateExportTask | Creates an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket | Write | |||
| CreateLogDelivery [permission only] | Creates the log delivery | Write | |||
| CreateLogGroup | Creates a new log group with the specified name | Write | |||
| CreateLogStream | Creates a new log stream with the specified name | Write | |||
| DeleteDestination | Deletes the destination with the specified name and eventually disables all the subscription filters that publish to it | Write | |||
| DeleteLogDelivery [permission only] | Deletes the log delivery information for specified log delivery | Write | |||
| DeleteLogGroup | Deletes the log group with the specified name and permanently deletes all the archived log events associated with it | Write | |||
| DeleteLogStream | Deletes a log stream and permanently deletes all the archived log events associated with it | Write | |||
| DeleteMetricFilter | Deletes a metric filter associated with the specified log group | Write | |||
| DeleteResourcePolicy | Deletes a resource policy from this account | Write | |||
| DeleteRetentionPolicy | Deletes the retention policy of the specified log group | Write | |||
| DeleteSubscriptionFilter | Deletes a subscription filter associated with the specified log group | Write | |||
| DescribeDestinations | Returns all the destinations that are associated with the AWS account making the request | List | |||
| DescribeExportTasks | Returns all the export tasks that are associated with the AWS account making the request | List | |||
| DescribeLogGroups | Returns all the log groups that are associated with the AWS account making the request | List | |||
| DescribeLogStreams | Returns all the log streams that are associated with the specified log group | List | |||
| DescribeMetricFilters | Returns all the metrics filters associated with the specified log group | List | |||
| DescribeQueries | Returns a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account. You can request all queries, or limit it to queries of a specific log group or queries with a certain status. | List | |||
| DescribeResourcePolicies | Return all the resource policies in this account. | List | |||
| DescribeSubscriptionFilters | Returns all the subscription filters associated with the specified log group | List | |||
| DisassociateKmsKey | Disassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group | Write | |||
| FilterLogEvents | Retrieves log events, optionally filtered by a filter pattern from the specified log group | Read | |||
| GetLogDelivery [permission only] | Gets the log delivery information for specified log delivery | Read | |||
| GetLogEvents | Retrieves log events from the specified log stream | Read | |||
| GetLogGroupFields | Returns a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field. The search is limited to a time period that you specify. | Read | |||
| GetLogRecord | Retrieves all the fields and values of a single log event. All fields are retrieved, even if the original query that produced the logRecordPointer retrieved only a subset of fields. Fields are returned as field name/field value pairs. | Read | |||
| GetQueryResults | Returns the results from the specified query. If the query is in progress, partial results of that current execution are returned. Only the fields requested in the query are returned. | Read | |||
| ListLogDeliveries [permission only] | Lists all the log deliveries for specified account and/or log source | List | |||
| ListTagsLogGroup | Lists the tags for the specified log group | List | |||
| PutDestination | Creates or updates a Destination | Write |
iam:PassRole |
||
| PutDestinationPolicy | Creates or updates an access policy associated with an existing Destination | Write | |||
| PutLogEvents | Uploads a batch of log events to the specified log stream | Write | |||
| PutMetricFilter | Creates or updates a metric filter and associates it with the specified log group | Write | |||
| PutResourcePolicy | Creates or updates a resource policy allowing other AWS services to put log events to this account | Write | |||
| PutRetentionPolicy | Sets the retention of the specified log group | Write | |||
| PutSubscriptionFilter | Creates or updates a subscription filter and associates it with the specified log group | Write |
iam:PassRole |
||
| StartQuery | Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group and time range to query, and the query string to use. | Read | |||
| StopQuery | Stops a CloudWatch Logs Insights query that is in progress. If the query has already ended, the operation returns an error indicating that the specified query is not running. | Read | |||
| TagLogGroup | Adds or updates the specified tags for the specified log group | Write | |||
| TestMetricFilter | Tests the filter pattern of a metric filter against a sample of log event messages | Read | |||
| UntagLogGroup | Removes the specified tags from the specified log group | Write | |||
| UpdateLogDelivery [permission only] | Updates the log delivery information for specified log delivery | Write |
Resource types defined by Amazon CloudWatch Logs
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Condition keys for Amazon CloudWatch Logs
CloudWatch Logs has no service-specific context keys that can be used in the
Condition element of policy statements. For the list of the global context keys that are
available to all services, see Available keys for conditions.
