Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What resources does aws_cloudwatch_log_resource_policy create?

When I used aws_cloudwatch_log_resource_policy in a configuration file, it was succesfully applied. I was expecting a policy to appear in IAM -> Policies list in the web console, but there was no sign of new policies.

What kind of resource does aws_cloudwatch_log_resource_policy create?

like image 864
k_shil Avatar asked Feb 21 '18 17:02

k_shil


People also ask

What is CloudWatch log resource policy?

CloudWatch Logs supports identity-based policies, and resource-based policies for destinations, which are used to enable cross account subscriptions. For more information, see Cross-account log data sharing with subscriptions.

What is AWS vended logs?

Vended logs are specific AWS service logs natively published by AWS services on behalf of the customer and available at volume discount pricing. AWS Elemental MediaTailor logs now takes advantage of volume-based tiered pricing for Vended logs.

What is log group name?

Log group names must be unique within a Region for an AWS account. Log group names can be between 1 and 512 characters long. Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen), '/' (forward slash), and '. ' (period).


Video Answer


2 Answers

Short answer: it creates a CloudWatch Logs Resource Policy!

Long answer: it's a misnomer from AWS as it doesn't actually get attached to a resource at all and appears to be a service-level access policy for CloudWatch logs.

The only reference to it I can find in the AWS docs (as of this writing) are the API call and CLI command descriptions - everything else is about adding resource policies to destinations which are a different thing.

There also does not appear to be any console support for it anywhere that I would expect it, however if you're creating an ElasticSearch domain in the console it will prompt you for one if you're setting up slow query logs.

And finally here's the actual error message that brought me here to make it easier to find this for people running into similar issues:

ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group es-redacted-prod-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.

like image 67
Devon Bleak Avatar answered Nov 16 '22 01:11

Devon Bleak


few more hints related to Cloudwatch log group resource policies :

  1. Can only be created only via CloudWatch API, one of the AWS SDKs, or the AWS CLI.
  2. No cloud formation support.
  3. An account can have up to 10 resource policies per region.
  4. We can create policies even when the log groups/streams don't exist.
  5. PutResourcePolicy from IAM for Cloudwatch Logs has no condition keys available. So the only option is to use Global Conditions.
like image 29
samtoddler Avatar answered Nov 15 '22 23:11

samtoddler