Skip to content

Cloudwatch Logs IAM Policies

View Logs

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListLogGroups",
      "Effect": "Allow",
      "Action": "logs:DescribeLogGroups",
      "Resource": "*"
    },
    {
      "Sid": "ViewLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogStreams",
        "logs:FilterLogEvents",
        "logs:GetLogGroupFields"
      ],
      "Resource": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}"
    },
    {
      "Sid": "ViewLogEvents",
      "Effect": "Allow",
      "Action": "logs:GetLogEvents",
      "Resource": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:*"
    },
    {
      "Sid": "LogInsights",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeQueryDefinitions",
        "logs:DescribeQueries",
        "logs:GetLogRecord",
        "logs:GetQueryResults",
        "logs:StartQuery",
        "logs:StopQuery"
      ],
      "Resource": "*"
    }
  ]
}

data "aws_iam_policy_document" "view_logs" {
  statement {
    sid       = "ListLogGroups"
    effect    = "Allow"
    resources = ["*"]
    actions   = ["logs:DescribeLogGroups"]
  }

  statement {
    sid       = "ViewLogGroup"
    effect    = "Allow"
    resources = ["arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}"]

    actions = [
      "logs:DescribeLogStreams",
      "logs:FilterLogEvents",
      "logs:GetLogGroupFields",
    ]
  }

  statement {
    sid       = "ViewLogEvents"
    effect    = "Allow"
    resources = ["arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:*"]
    actions   = ["logs:GetLogEvents"]
  }

  statement {
    sid       = "LogInsights"
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "logs:DescribeQueryDefinitions",
      "logs:DescribeQueries",
      "logs:GetLogRecord",
      "logs:GetQueryResults",
      "logs:StartQuery",
      "logs:StopQuery",
    ]
  }
}