IAM policy for Amazon CloudWatch

Use the following example to create a policy for sending events to a CloudWatch group.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111122223333:log-group:log-group-name:*"
            ]
        }
    ]    
}

For more information about IAM policies, see Policies and permissions in IAM in the IAM User Guide.

The following example statement uses the, optional but recommended, SourceAccount and SourceArn conditions to check that only the AWS End User Messaging SMS owner account has access to the configuration set. In this example, replace accountId with your AWS account id, region with the AWS Region name and ConfigSetName with the name of the Configuration Set.

After you create the policy, create a new IAM role, and then attach the policy to it. When you create the role, also add the following trust policy to it:


{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "Service": "sms-voice.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
               "aws:SourceAccount": "accountId"
             },
             "ArnLike": {
               "aws:SourceArn": "arn:aws:sms-voice:region:accountId:configuration-set/ConfigSetName"
              }
         }
    }
}

For more information about creating IAM roles, see Creating IAM roles in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up Amazon CloudWatch event destination

Create an Amazon CloudWatch event destination