Aws step function deployment log access issue

Question

I am running into Some permissions issue i am not able to figure out.

The step function deployment fails because of error:

Error: AccessDeniedException: The state machine IAM Role is not authorized to access the Log Destination
10:12:19    status code: 400, request id: ff46f8c0-fcc8-4190-ba6a-13f5ab617c78
10:12:19  
10:12:19    on step_function.tf line 1, in resource "aws_sfn_state_machine" "oss_integration_data_process_sf":
10:12:19     1: resource "aws_sfn_state_machine" "os_int_data_process_sf" {

funny thing is, it only happens to one lambda while all lambdas have same prefix and we have step function give permissions as:

            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:AssociateKmsKey",
                "logs:CreateLogDelivery",
                "logs:GetLogDelivery",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:ListLogDeliveries",
                "logs:PutResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:XXXX:log-group:*/*"
            ],
            "Effect": "Allow"
        }```

I can run the lambda after deployment and see CW log stream with lambda name is getting created.

Answer 1

I had the same issue and resolved by updating policies for the Role as described here: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html

Normally PutLogEvents, CreateLogStream should be enough for resources like Lambda but apprantly Step Function need other log policies as well.

Answer 2

You can create the permissions using a wildcard * in the resources and your permission issue will be solved, as the documentation page suggests.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogDelivery",
        "logs:CreateLogStream",
        "logs:GetLogDelivery",
        "logs:UpdateLogDelivery",
        "logs:DeleteLogDelivery",
        "logs:ListLogDeliveries",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:DescribeResourcePolicies",
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    }
  ]
}

If you want to follow the principle of least privilege access, there are some points about the CloudWatch permissions that you need to check:

• The LogDelivery and ResourcePolicy actions don't support resource types, so they must use a wildcard * in the resources.

- Effect: Allow
  Action:
    - 'logs:CreateLogDelivery'
    - 'logs:GetLogDelivery'
    - 'logs:UpdateLogDelivery'
    - 'logs:DeleteLogDelivery'
    - 'logs:ListLogDeliveries'
    - 'logs:PutResourcePolicy'
    - 'logs:DescribeResourcePolicies'
  Resource: '*'

• The PutLogEvents action is at the log-stream* level, so if you want to restrict it, you need to follow something like this:

- Effect: Allow
  Action:
    - 'logs:PutLogEvents'
  Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}'

• The Destination related actions are at the destination* level, so if you want to restrict them, you need to follow something like this:

- Effect: Allow
  Action:
    - 'logs:PutDestination'
    - 'logs:PutDestinationPolicy'
  Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:destination:${DestinationName}'

• The PutSubscriptionFilter action is at the log-group and destination* levels.

More information about CloudWatch Logs actions and permissions can be found here: Actions, resources, and condition keys for Amazon CloudWatch Logs