What resources does aws_cloudwatch_log_resource_policy create?

Question

When I used aws_cloudwatch_log_resource_policy in a configuration file, it was succesfully applied. I was expecting a policy to appear in IAM -> Policies list in the web console, but there was no sign of new policies.

What kind of resource does aws_cloudwatch_log_resource_policy create?

Answer 1

Short answer: it creates a CloudWatch Logs Resource Policy!

Long answer: it's a misnomer from AWS as it doesn't actually get attached to a resource at all and appears to be a service-level access policy for CloudWatch logs.

The only reference to it I can find in the AWS docs (as of this writing) are the API call and CLI command descriptions - everything else is about adding resource policies to destinations which are a different thing.

There also does not appear to be any console support for it anywhere that I would expect it, however if you're creating an ElasticSearch domain in the console it will prompt you for one if you're setting up slow query logs.

And finally here's the actual error message that brought me here to make it easier to find this for people running into similar issues:

ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group es-redacted-prod-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.

Answer 2

few more hints related to Cloudwatch log group resource policies :

1. Can only be created only via CloudWatch API, one of the AWS SDKs, or the AWS CLI.
2. No cloud formation support.
3. An account can have up to 10 resource policies per region.
4. We can create policies even when the log groups/streams don't exist.
5. PutResourcePolicy from IAM for Cloudwatch Logs has no condition keys available. So the only option is to use Global Conditions.