本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
对日志使用基于身份的策略(IAM策略) CloudWatch
本主题提供了基于身份的策略的示例,在这些策略中,账户管理员可以向 IAM 身份(即:用户、组和角色)挂载权限策略。
重要
我们建议您先阅读介绍性主题,这些主题解释了管理 CloudWatch 日志资源访问权限的基本概念和选项。有关更多信息,请参阅 管理您的 L CloudWatch ogs 资源的访问权限概述。
本主题包含以下内容:
下面是权限策略的示例:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }
本策略具有一个语句,该语句授予了创建日志组和日志流、将事件上传到日志流和列出有关日志流的详细信息的权限。
Resource 值结尾的通配符 (*) 表示一个语句,该语句授予了对任何日志组执行 logs:CreateLogGroup、logs:CreateLogStream、logs:PutLogEvents 和 logs:DescribeLogStreams 操作的权限。要将此权限限制为特定的日志组,请将资源ARN中的通配符 (*) 替换为特定的日志组ARN。有关IAM政策声明中各部分的更多信息,请参阅《IAM用户指南》中的 “IAM策略元素参考”。有关显示所有 L CloudWatch ogs 操作的列表,请参阅CloudWatch 日志权限参考。
使用 CloudWatch 控制台所需的权限
要让用户在 CloudWatch 控制台中使用 CloudWatch 日志,该用户必须拥有一组允许用户描述其 AWS 账户中的其他 AWS 资源的最低权限。要在 CloudWatch 控制台中使用 CloudWatch 日志,您必须拥有以下服务的权限:
-
CloudWatch
-
CloudWatch 日志
-
OpenSearch 服务
-
IAM
-
Kinesis
-
Lambda
-
Amazon S3
如果创建比必需的最低权限更为严格的 IAM 策略,对于附加该 IAM 策略的用户,控制台将无法按预期正常运行。为确保这些用户仍然可以使用 CloudWatch 控制台,还要将CloudWatchReadOnlyAccess托管策略附加到该用户,如中所述AWS CloudWatch 日志的托管(预定义)策略。
对于仅拨打 AWS CLI 或 CloudWatch 日志的用户,您无需为其设置最低控制台权限API。
对于不使用 CloudWatch 控制台管理日志订阅的用户,使用控制台所需的全部权限为:
云观察:GetMetricData
云观察:ListMetrics
日志:CancelExportTask
日志:CreateExportTask
日志:CreateLogGroup
日志:CreateLogStream
日志:DeleteLogGroup
日志:DeleteLogStream
日志:DeleteMetricFilter
日志:DeleteQueryDefinition
日志:DeleteRetentionPolicy
日志:DeleteSubscriptionFilter
日志:DescribeExportTasks
日志:DescribeLogGroups
日志:DescribeLogStreams
日志:DescribeMetricFilters
日志:DescribeQueryDefinitions
日志:DescribeQueries
日志:DescribeSubscriptionFilters
日志:FilterLogEvents
日志:GetLogEvents
日志:GetLogGroupFields
日志:GetLogRecord
日志:GetQueryResults
日志:PutMetricFilter
日志:PutQueryDefinition
日志:PutRetentionPolicy
日志:StartQuery
日志:StopQuery
日志:PutSubscriptionFilter
日志:TestMetricFilter
对于同时使用控制台来管理日志订阅的用户,还需要以下权限:
是:DescribeElasticsearchDomain
是:ListDomainNames
我是:AttachRolePolicy
我是:CreateRole
我是:GetPolicy
我是:GetPolicyVersion
我是:GetRole
我是:ListAttachedRolePolicies
我是:ListRoles
运动学:DescribeStreams
运动学:ListStreams
lambda: AddPermission
lambda: CreateFunction
lambda: GetFunctionConfiguration
lambda: ListAliases
lambda: ListFunctions
lambda: ListVersionsByFunction
lambda: RemovePermission
s3:ListBuckets
AWS CloudWatch 日志的托管(预定义)策略
AWS 通过提供由创建和管理的独立IAM策略来解决许多常见用例 AWS。托管式策略可授予常用案例的必要权限,因此,您可以免去调查都需要哪些权限的工作。有关更多信息,请参阅《IAM用户指南》中的AWS 托管策略。
以下 AWS 托管策略特定于 CloudWatch 日志,您可以将其附加到账户中的用户和角色:
CloudWatchLogsFullAccess— 授予对 CloudWatch 日志的完全访问权限。
CloudWatchLogsReadOnlyAccess— 授予对CloudWatch 日志的只读访问权限。
CloudWatchLogsFullAccess
该CloudWatchLogsFullAccess策略授予对 CloudWatch 日志的完全访问权限。该策略包含cloudwatch:GenerateQuery权限,因此拥有此策略的用户可以根据自然语言提示生成 CloudWatch Logs Insights 查询字符串。它包括为 Amazon OpenSearch Service 某些功能启用 CloudWatch 日志与 OpenSearch 服务的集成的权限。IAM完整内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsFullAccess", "Effect": "Allow", "Action": [ "logs:*", "cloudwatch:GenerateQuery", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers", "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource": "*" }, { "Sid": "CloudWatchLogsOpenSearchCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "Condition": { "StringEquals": { "iam:AWSServiceName": "opensearchservice.amazonaws.com" } } }, { "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/*/AWSServiceRoleForAmazonOpenSearchServerless", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com" } } }, { "Sid": "CloudWatchLogsCollectionRequestAccess", "Effect": "Allow", "Action": [ "aoss:CreateCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsApplicationRequestAccess", "Effect": "Allow", "Action": [ "es:CreateApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/OpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsCollectionResourceAccess", "Effect": "Allow", "Action": [ "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsApplicationResourceAccess", "Effect": "Allow", "Action": [ "es:UpdateApplication", "es:GetApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsCollectionPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateSecurityPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:DeleteSecurityPolicy", "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy", "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "logs-collection-*" } } }, { "Sid": "CloudWatchLogsIndexPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:GetAccessPolicy", "aoss:CreateLifecyclePolicy", "aoss:DeleteLifecyclePolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:index": "logs-collection-*" } } }, { "Sid": "CloudWatchLogsStartDirectQueryAccess", "Effect": "Allow", "Action": [ "opensearch:StartDirectQuery" ], "Resource": "arn:aws:opensearch:*:*:datasource/logs_datasource_*" }, { "Sid": "CloudWatchLogsDQSRequestQueryAccess", "Effect": "Allow", "Action": [ "es:AddDirectQueryDataSource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsDQSResourceQueryAccess", "Effect": "Allow", "Action": [ "es:GetDirectQueryDataSource", "es:DeleteDirectQueryDataSource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "directquery.opensearchservice.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAossTagsAccess", "Effect": "Allow", "Action": [ "aoss:TagResource", "es:AddTags" ], "Resource": "arn:aws:aoss:*:*:collection/*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsApplicationTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:application/*", "Condition": { "StringEquals": { "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsDataSourceTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:datasource/*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } } ] }
CloudWatchLogsReadOnlyAccess
该CloudWatchLogsReadOnlyAccess策略授予对 CloudWatch 日志的只读访问权限。它包括cloudwatch:GenerateQuery权限,因此拥有此策略的用户可以根据自然语言提示生成 CloudWatch Logs Insights 查询字符串。内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents", "logs:StartLiveTail", "logs:StopLiveTail", "cloudwatch:GenerateQuery" ], "Resource": "*" } ] }
CloudWatchOpenSearchDashboardsFullAccess
该CloudWatchOpenSearchDashboardsFullAccess策略授予创建、管理和删除与 Serv OpenSearch ice 的集成,以及在这些集成中创建、删除和管理已售日志仪表板的权限。有关更多信息,请参阅 使用 Amazon OpenSearch 服务进行分析。
内容如下:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudWatchOpenSearchDashboardsIntegration", "Effect": "Allow", "Action": [ "logs:ListIntegrations", "logs:GetIntegration", "logs:DeleteIntegration", "logs:PutIntegration", "logs:DescribeLogGroups", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "CloudWatchLogsOpensearchReadAPIs", "Effect": "Allow", "Action": [ "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsOpensearchCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "Condition": { "StringEquals": { "iam:AWSServiceName": "opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsObservabilityCreateServiceLinkedAccess", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsCollectionRequestAccess", "Effect": "Allow", "Action": [ "aoss:CreateCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsApplicationRequestAccess", "Effect": "Allow", "Action": [ "es:CreateApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/OpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsCollectionResourceAccess", "Effect": "Allow", "Action": [ "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsApplicationResourceAccess", "Effect": "Allow", "Action": [ "es:UpdateApplication", "es:GetApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsCollectionPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateSecurityPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:DeleteSecurityPolicy", "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAPIAccessAll", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } }, { "Sid": "CloudWatchLogsIndexPolicyAccess", "Effect": "Allow", "Action": [ "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:GetAccessPolicy", "aoss:CreateLifecyclePolicy", "aoss:DeleteLifecyclePolicy" ], "Resource": "*", "Condition": { "StringLike": { "aoss:index": "cloudwatch-logs-*", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsDQSRequestQueryAccess", "Effect": "Allow", "Action": [ "es:AddDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:RequestTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsStartDirectQueryAccess", "Effect": "Allow", "Action": [ "opensearch:StartDirectQuery", "opensearch:GetDirectQuery" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*" }, { "Sid": "CloudWatchLogsDQSResourceQueryAccess", "Effect": "Allow", "Action": [ "es:GetDirectQueryDataSource", "es:DeleteDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "directquery.opensearchservice.amazonaws.com", "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAossTagsAccess", "Effect": "Allow", "Action": [ "aoss:TagResource", "es:AddTags" ], "Resource": "arn:aws:aoss:*:*:collection/*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsApplicationTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:application/*", "Condition": { "StringEquals": { "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "OpenSearchIntegration" } } }, { "Sid": "CloudWatchLogsEsDataSourceTagsAccess", "Effect": "Allow", "Action": [ "es:AddTags" ], "Resource": "arn:aws:opensearch:*:*:datasource/*", "Condition": { "StringEquals": { "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ], "aws:CalledViaFirst": "logs.amazonaws.com" }, "ForAllValues:StringEquals": { "aws:TagKeys": "CloudWatchOpenSearchIntegration" } } } ] }
CloudWatchOpenSearchDashboardAccess
该CloudWatchOpenSearchDashboardAccess策略授予查看使用 Amazon OpenSearch Service 分析创建的销售日志仪表板的访问权限。有关更多信息,请参阅 使用 Amazon OpenSearch 服务进行分析。
重要
除了授予此策略外,要使角色或用户能够查看提供的日志仪表板,还必须在创建与 Serv OpenSearch ice 的集成时指定它们。有关更多信息,请参阅 步骤 1:创建与 OpenSearch 服务的集成。
的内容CloudWatchOpenSearchDashboardAccess如下:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudWatchOpenSearchDashboardsIntegration", "Effect": "Allow", "Action": [ "logs:ListIntegrations", "logs:GetIntegration", "logs:DescribeLogGroups", "opensearch:ApplicationAccessAll", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "CloudWatchLogsOpensearchReadAPIs", "Effect": "Allow", "Action": [ "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "es:ListApplications" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com" } } }, { "Sid": "CloudWatchLogsAPIAccessAll", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } }, { "Sid": "CloudWatchLogsDQSCollectionPolicyAccess", "Effect": "Allow", "Action": [ "aoss:GetAccessPolicy", "aoss:GetSecurityPolicy" ], "Resource": "*", "Condition": { "StringLike": { "aws:CalledViaFirst": "logs.amazonaws.com", "aoss:collection": "cloudwatch-logs-*" } } }, { "Sid": "CloudWatchLogsApplicationResourceAccess", "Effect": "Allow", "Action": [ "es:GetApplication" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/OpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsDQSResourceQueryAccess", "Effect": "Allow", "Action": [ "es:GetDirectQueryDataSource" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*", "Condition": { "StringEquals": { "aws:CalledViaFirst": "logs.amazonaws.com", "aws:ResourceTag/CloudWatchOpenSearchIntegration": [ "Dashboards" ] } } }, { "Sid": "CloudWatchLogsDirectQueryStatusAccess", "Effect": "Allow", "Action": [ "opensearch:GetDirectQuery" ], "Resource": "arn:aws:opensearch:*:*:datasource/cloudwatch_logs_*" } ] }
CloudWatchLogsCrossAccountSharingConfiguration
该CloudWatchLogsCrossAccountSharingConfiguration策略授予创建、管理和查看用于在账户之间共享 CloudWatch 日志资源的 Observability Access Manager 链接的权限。有关更多信息,请参阅CloudWatch 跨账户可观察性。
内容如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:Link", "oam:ListLinks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "oam:DeleteLink", "oam:GetLink", "oam:TagResource" ], "Resource": "arn:aws:oam:*:*:link/*" }, { "Effect": "Allow", "Action": [ "oam:CreateLink", "oam:UpdateLink" ], "Resource": [ "arn:aws:oam:*:*:link/*", "arn:aws:oam:*:*:sink/*" ] } ] }
CloudWatch 记录 AWS 托管策略的更新
查看自该服务开始跟踪 CloudWatch 日志 AWS 托管策略更改以来这些更新的详细信息。要获得有关此页面更改的自动提醒,请订阅 “ CloudWatch 日志文档历史记录” 页面上的订阅RSS源。
| 更改 | 描述 | 日期 |
|---|---|---|
|
CloudWatchLogsFullAccess – 对现有策略的更新。 |
CloudWatch 记录已添加的权限CloudWatchLogsFullAccess。 添加IAM了 Amazon OpenSearch Service 和的权限,以便为某些功能启用 CloudWatch 日志与 OpenSearch 服务的集成。 |
2024年12月1日 |
|
CloudWatch Logs 添加了新IAM策略CloudWatchOpenSearchDashboardsFullAccess。-此策略授予创建、管理和删除与 Serv OpenSearch ice 的集成,以及在这些集成中创建、管理和删除已售日志仪表板的权限。有关更多信息,请参阅 使用 Amazon OpenSearch 服务进行分析。 |
2024年12月1日 |
|
|
CloudWatchOpenSearchDashboardAccess— 新IAM政策。 |
CloudWatch Logs 添加了新IAM策略CloudWatchOpenSearchDashboardAccess。-此策略授予查看由 Amazon OpenSearch Service提供支持的销售日志仪表板的访问权限。有关更多信息,请参阅 使用 Amazon OpenSearch 服务进行分析。 |
2024年12月1日 |
|
CloudWatchLogsFullAccess – 对现有策略的更新。 |
CloudWatch 日志已向添加权限CloudWatchLogsFullAccess。 此 |
2023 年 11 月 27 日 |
|
CloudWatchLogsReadOnlyAccess – 对现有策略的更新。 |
CloudWatch 向。添加了权限CloudWatchLogsReadOnlyAccess。 此 |
2023 年 11 月 27 日 |
|
CloudWatchLogsReadOnlyAccess – 更新现有策略 |
CloudWatch 记录已添加的权限CloudWatchLogsReadOnlyAccess。 添加了 |
2023 年 6 月 6 日 |
|
CloudWatch Logs 添加了一项新策略,使您能够管理共享 CloudWatch 日志组的 CloudWatch 跨账户可观察性链接。 如需了解更多信息,请参阅CloudWatch 跨账户可观察性 |
2022 年 11 月 27 日 | |
|
CloudWatchLogsReadOnlyAccess – 更新现有策略 |
CloudWatch 记录已添加的权限CloudWatchLogsReadOnlyAccess。 添加了 |
2022 年 11 月 27 日 |
客户管理型策略示例
您可以创建自己的自定义IAM策略来授予 CloudWatch 日志操作和资源的权限。您可以将这些自定义策略附加到需要这些权限的用户或组。
在本节中,您可以找到授予各种CloudWatch 日志操作权限的用户策略示例。这些策略在您使用 CloudWatch 日志API AWS SDKs、或时起作用 AWS CLI。
示例 1:允许完全访问 CloudWatch 日志
以下策略允许用户访问所有 CloudWatch 日志操作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:*" ], "Effect": "Allow", "Resource": "*" } ] }
示例 2:允许对 CloudWatch 日志进行只读访问
AWS 提供了允许对 CloudWatch 日志数据进行只读访问的CloudWatchLogsReadOnlyAccess策略。该策略包含以下权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents", "logs:StartLiveTail", "logs:StopLiveTail", "cloudwatch:GenerateQuery" ], "Effect": "Allow", "Resource": "*" } ] }
示例 3:允许访问一个日志组
以下策略允许用户在一个指定的日志组中读取和写入日志事件。
重要
Resource 行中日志组名称末尾的 :* 是必需的,以指示该策略适用于此日志组中的所有日志流。如果省略 :*,则不会强制执行该策略。
{ "Version":"2012-10-17", "Statement":[ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*" } ] }
在日志组级别使用标记和IAM策略进行控制
您可以为用户授予某些日志组的访问权限,同时禁止他们访问其他日志组。为此,请标记您的日志组,并使用引用这些标签的 IAM 策略。要将标签应用于日志组,您需要拥有 logs:TagResource 或 logs:TagLogGroup 权限。这既适用于在创建日志组时为其分配标签,也适用于稍后分配标签。
有关标记日志组的更多信息,请参阅 在 Amazon 日志中标记 CloudWatch 日志组。
在标记日志组时,您可以为用户授予 IAM 策略以仅允许访问具有特定标签的日志组。例如,以下策略语句仅授予 Team 标签键值为 Green 的日志组的访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:*" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/Team": "Green" } } } ] }
StopQuery和StopLiveTailAPI操作不与传统意义上的 AWS 资源交互。它们不会返回任何数据、放置任何数据或以任何方式修改资源。相反,它们仅对给定的实时跟踪会话或给定的 L CloudWatch ogs Insights 查询进行操作,这些查询未归类为资源。因此,当您在IAM策略中为这些操作指定Resource字段时,必须将该Resource字段的值设置为*,如下例所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:StopQuery", "logs:StopLiveTail" ], "Resource": "*" } ] }
有关使用IAM策略声明的更多信息,请参阅《IAM用户指南》中的使用策略控制访问权限。
