When I used aws_cloudwatch_log_resource_policy
in a configuration file, it was succesfully applied. I was expecting a policy to appear in IAM -> Policies list in the web console, but there was no sign of new policies.
What kind of resource does aws_cloudwatch_log_resource_policy
create?
CloudWatch Logs supports identity-based policies, and resource-based policies for destinations, which are used to enable cross account subscriptions. For more information, see Cross-account log data sharing with subscriptions.
Vended logs are specific AWS service logs natively published by AWS services on behalf of the customer and available at volume discount pricing. AWS Elemental MediaTailor logs now takes advantage of volume-based tiered pricing for Vended logs.
Log group names must be unique within a Region for an AWS account. Log group names can be between 1 and 512 characters long. Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '. ' (period).
Short answer: it creates a CloudWatch Logs Resource Policy!
Long answer: it's a misnomer from AWS as it doesn't actually get attached to a resource at all and appears to be a service-level access policy for CloudWatch logs.
The only reference to it I can find in the AWS docs (as of this writing) are the API call and CLI command descriptions - everything else is about adding resource policies to destinations which are a different thing.
There also does not appear to be any console support for it anywhere that I would expect it, however if you're creating an ElasticSearch domain in the console it will prompt you for one if you're setting up slow query logs.
And finally here's the actual error message that brought me here to make it easier to find this for people running into similar issues:
ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group es-redacted-prod-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.
few more hints related to Cloudwatch log group resource policies :
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With