amazon-web-servicespermissionsamazon-cloudwatchaws-policies

AWS policy actions for querying a CloudWatch log group and extracting information from the results


I am trying to query the AWS CloudWatch logs that are created by a Lambda Function. I have written a script to do this, which does the following:

  1. aws logs start-query
    Submit a query, with the appropriate time window and query string.

  2. aws logs get-query-results
    Return the log record pointer results from the query created in step (1).

  3. aws logs get-log-record
    Dereference the log record pointers from step (2) to get the log stream IDs.

  4. aws logs get-log-events
    Fetch the log events from the log streams found in step (3).

This works and now I'm trying to create a policy that will allow me to run all of the above without authentication. This is what I've come up with, going by the AWS CloudWatch Logs permissions reference:

{
  "Effect": "Allow",
  "Action": [
    "logs:DescribeLogStreams",
    "logs:GetLogEvents",
    "logs:StartQuery",
    "logs:DescribeQueries",
    "logs:GetQueryResults",
    "logs:GetLogRecord"
  ],
  "Resource": [
    "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION",
    "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION:log-stream:*"
  ]
}

Unfortunately, this causes my script to fail at the second step. I can successfully create a query, but when I try to fetch its results, I get:

An error occurred (AccessDeniedException) when calling the GetQueryResults operation: User with accountId: ACCOUNT is not authorized to perform GetQueryResults

What am I missing? Clearly GetQueryResults is allowed, but it's still not working. What other actions do I need to allow for both step 2 and what follows to succeed?


Solution

  • It turns out that GetQueryResults and GetLogRecords should not be limited to a particular CloudWatch resource and instead applied to everything. The following fixed the problem:

    [
      {
        "Effect": "Allow",
        "Action": [
          "logs:DescribeLogStreams",
          "logs:GetLogEvents",
          "logs:StartQuery"
        ],
        "Resource": [
          "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION",
          "arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION:log-stream:*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "logs:GetQueryResults",
          "logs:GetLogRecord"
        ],
        "Resource": "*"
      }
    ]