# Security in Amazon CloudWatch Logs Security Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to WorkSpaces, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations This documentation helps you understand how to apply the shared responsibility model when using Amazon CloudWatch Logs. It shows you how to configure Amazon CloudWatch Logs to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your CloudWatch Logs resources. **Topics** + [ # Data protection in Amazon CloudWatch Logs ](data-protection.md) + [ # Identity and access management for Amazon CloudWatch Logs ](auth-and-access-control-cwl.md) + [ # Compliance validation for Amazon CloudWatch Logs ](compliance-validation.md) + [ # Resilience in Amazon CloudWatch Logs ](disaster-recovery-resiliency.md) + [ # Infrastructure security in Amazon CloudWatch Logs ](infrastructure-security.md) + [ # Using CloudWatch Logs with interface VPC endpoints ](cloudwatch-logs-and-interface-VPC.md) # Data protection in Amazon CloudWatch Logs Data protection **Note** In addition to the following information about general data protection in AWS, CloudWatch Logs also enables you to protect sensitive data in log events by masking it. For more information, see [Help protect sensitive log data with masking](mask-sensitive-log-data.md). The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon CloudWatch Logs. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with CloudWatch Logs or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. ## Encryption at rest CloudWatch Logs protects data at rest using encryption. All log groups are encrypted. By default, the CloudWatch Logs service manages the server-side encryption and uses server-side encryption with 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt log data at rest. If you want to manage the keys used for encrypting and decrypting your logs, use AWS KMS keys. For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](encrypt-log-data-kms.md). ## Encryption in transit CloudWatch Logs uses end-to-end encryption of data in transit. The CloudWatch Logs service manages the server-side encryption keys. # Identity and access management for Amazon CloudWatch Logs Identity and access management Access to Amazon CloudWatch Logs requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as to retrieve CloudWatch Logs data about your cloud resources. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and CloudWatch Logs to help secure your resources by controlling who can access them: + [Authentication](#authentication-cwl) + [Access control](#access-control-cwl) ## Authentication To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ## Access control You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access CloudWatch Logs resources. For example, you must have permissions to create log streams, create log groups, and so on. The following sections describe how to manage permissions for CloudWatch Logs. We recommend that you read the overview first. + [Overview of managing access permissions to your CloudWatch Logs resources](iam-access-control-overview-cwl.md) + [Using identity-based policies (IAM policies) for CloudWatch Logs](iam-identity-based-access-control-cwl.md) + [CloudWatch Logs permissions reference](permissions-reference-cwl.md) # Overview of managing access permissions to your CloudWatch Logs resources Overview of managing access To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. **Topics** + [ ## CloudWatch Logs resources and operations ](#CWL_ARN_Format) + [ ## Understanding resource ownership ](#understanding-resource-ownership-cwl) + [ ## Managing access to resources ](#managing-access-resources-cwl) + [ ## Specifying policy elements: Actions, effects, and principals ](#actions-effects-principals-cwl) + [ ## Specifying conditions in a policy ](#policy-conditions-cwl) ## CloudWatch Logs resources and operations Resources and operations In CloudWatch Logs the primary resources are log groups, log streams and destinations. CloudWatch Logs does not support subresources (other resources for use with the primary resource). These resources and subresources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table. | Resource type | ARN format | | --- | --- | | Log group | Both of the following are used. The second one, with the `:*` at the end, is what is returned by the `describe-log-groups` CLI command and the **DescribeLogGroups** API. arn:aws:logs:*region*:*account-id*:log-group:*log\$1group\$1name* arn:aws:logs:*region*:*account-id*:log-group:*log\$1group\$1name*:\$1 Use the first version, without the trailing `:*`, in the following situations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html) Use the second version, with the trailing `:*`, to refer to the ARN when specifying permissions in IAM policies for all other API actions. | | Log stream | arn:aws:logs:*region*:*account-id*:log-group:*log\$1group\$1name*:log-stream:*log-stream-name* | | Destination | arn:aws:logs:*region*:*account-id*:destination:*destination\$1name* | For more information about ARNs, see [ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#Identifiers_ARNs) in *IAM User Guide*. For information about CloudWatch Logs ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-cloudwatch-logs) in *Amazon Web Services General Reference*. For an example of a policy that covers CloudWatch Logs, see [Using identity-based policies (IAM policies) for CloudWatch Logs](iam-identity-based-access-control-cwl.md). CloudWatch Logs provides a set of operations to work with the CloudWatch Logs resources. For a list of available operations, see [CloudWatch Logs permissions reference](permissions-reference-cwl.md). ## Understanding resource ownership The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the root account, a user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works: + If you use the root account credentials of your AWS account to create a log group, your AWS account is the owner of the CloudWatch Logs resource. + If you create a user in your AWS account and grant permissions to create CloudWatch Logs resources to that user, the user can create CloudWatch Logs resources. However, your AWS account, to which the user belongs, owns the CloudWatch Logs resources. + If you create an IAM role in your AWS account with permissions to create CloudWatch Logs resources, anyone who can assume the role can create CloudWatch Logs resources. Your AWS account, to which the role belongs, owns the CloudWatch Logs resources. ## Managing access to resources A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies. **Note** This section discusses using IAM in the context of CloudWatch Logs. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. Policies attached to an IAM identity are referred to as identity-based policies (IAM policies) and policies attached to a resource are referred to as resource-based policies. CloudWatch Logs supports identity-based policies, and resource-based policies for destinations, which are used to enable cross account subscriptions. For more information, see [Cross-account cross-Region subscriptions](CrossAccountSubscriptions.md). **Topics** + [ ### Log group permissions and Contributor Insights ](#cloudwatch-logs-permissions-and-contributor-insights) + [ ### Resource-based policies ](#resource-based-policies-cwl) ### Log group permissions and Contributor Insights Contributor Insights is a feature of CloudWatch that enables you to analyze data from log groups and create time series that display contributor data. You can see metrics about the top-N contributors, the total number of unique contributors, and their usage. For more information, see [ Using Contributor Insights to Analyze High-Cardinality Data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContributorInsights.html). When you grant a user the `cloudwatch:PutInsightRule` and `cloudwatch:GetInsightRuleReport` permissions, that user can create a rule that evaluates any log group in CloudWatch Logs and then see the results. The results can contain contributor data for those log groups. Be sure to grant these permissions only to users who should be able to view this data. ### Resource-based policies CloudWatch Logs supports resource-based policies for destinations, which you can use to enable cross account subscriptions. For more information, see [Step 1: Create a destination](CreateDestination.md). Destinations can be created using the [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) API, and you can add a resource policy to the destination using the [PutDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestinationPolicy.html) API. The following example allows another AWS account with the account ID 111122223333 to subscribe their log groups to the destination `arn:aws:logs:us-east-1:123456789012:destination:testDestination`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principal" : { "AWS" : "111122223333" }, "Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:us-east-1:123456789012:destination:testDestination" } ] } ``` ------ ## Specifying policy elements: Actions, effects, and principals For each CloudWatch Logs resource, the service defines a set of API operations. To grant permissions for these API operations, CloudWatch Logs defines a set of actions that you can specify in a policy. Some API operations can require permissions for more than one action in order to perform the API operation. For more information about resources and API operations, see [CloudWatch Logs resources and operations](#CWL_ARN_Format) and [CloudWatch Logs permissions reference](permissions-reference-cwl.md). The following are the basic policy elements: + **Resource** – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information, see [CloudWatch Logs resources and operations](#CWL_ARN_Format). + **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, the `logs.DescribeLogGroups` permission allows the user permissions to perform the `DescribeLogGroups` operation. + **Effect** – You specify the effect, either allow or deny, when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access. + **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). CloudWatch Logs supports resource-based policies for destinations. To learn more about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. For a table showing all of the CloudWatch Logs API actions and the resources that they apply to, see [CloudWatch Logs permissions reference](permissions-reference-cwl.md). ## Specifying conditions in a policy When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. To express conditions, you use predefined condition keys. For a list of context keys supported by each AWS service and a list of AWS-wide policy keys, see [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) and [AWS global condition context keys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). **Note** You can use tags to control access to CloudWatch Logs resources, including log groups and destinations. Access to log streams is controlled at the log group level, because of the hierarchical relation between log groups and log streams. For more information about using tags to control access, see [Controlling access to Amazon Web Services resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html). # Using identity-based policies (IAM policies) for CloudWatch Logs Using identity-based policies (IAM policies) This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). **Important** We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your CloudWatch Logs resources. For more information, see [Overview of managing access permissions to your CloudWatch Logs resources](iam-access-control-overview-cwl.md). This topic covers the following: + [Permissions required to use the CloudWatch console](#console-permissions-cwl) + [AWS managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl) + [Customer managed policy examples](#customer-managed-policies-cwl) The following is an example of a permissions policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] } ``` ------ This policy has one statement that grants permissions to create log groups and log streams, to upload log events to log streams, and to list details about log streams. The wildcard character (\$1) at the end of the `Resource` value means that the statement allows permission for the `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`, and `logs:DescribeLogStreams` actions on any log group. To limit this permission to a specific log group, replace the wildcard character (\$1) in the resource ARN with the specific log group ARN. For more information about the sections within an IAM policy statement, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html) in *IAM User Guide*. For a list showing all of the CloudWatch Logs actions, see [CloudWatch Logs permissions reference](permissions-reference-cwl.md). ## Permissions required to use the CloudWatch console For a user to work with CloudWatch Logs in the CloudWatch console, that user must have a minimum set of permissions that allows the user to describe other AWS resources in their AWS account. In order to use CloudWatch Logs in the CloudWatch console, you must have permissions from the following services: + CloudWatch + CloudWatch Logs + OpenSearch Service + IAM + Kinesis + Lambda + Amazon S3 If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the CloudWatch console, also attach the `CloudWatchReadOnlyAccess` managed policy to the user, as described in [AWS managed (predefined) policies for CloudWatch Logs](#managed-policies-cwl). You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the CloudWatch Logs API. The full set of permissions required to work with the CloudWatch console for a user who is not using the console to manage log subscriptions are: + cloudwatch:GetMetricData + cloudwatch:ListMetrics + logs:CancelExportTask + logs:CreateExportTask + logs:CreateLogGroup + logs:CreateLogStream + logs:DeleteLogGroup + logs:DeleteLogStream + logs:DeleteMetricFilter + logs:DeleteQueryDefinition + logs:DeleteRetentionPolicy + logs:DeleteSubscriptionFilter + logs:DescribeExportTasks + logs:DescribeLogGroups + logs:DescribeLogStreams + logs:DescribeMetricFilters + logs:DescribeQueryDefinitions + logs:DescribeQueries + logs:DescribeSubscriptionFilters + logs:FilterLogEvents + logs:GetLogEvents + logs:GetLogGroupFields + logs:GetLogRecord + logs:GetQueryResults + logs:PutMetricFilter + logs:PutQueryDefinition + logs:PutRetentionPolicy + logs:StartQuery + logs:StopQuery + logs:PutSubscriptionFilter + logs:TestMetricFilter For a user who will also be using the console to manage log subscriptions, the following permissions are also required: + es:DescribeElasticsearchDomain + es:ListDomainNames + iam:AttachRolePolicy + iam:CreateRole + iam:GetPolicy + iam:GetPolicyVersion + iam:GetRole + iam:ListAttachedRolePolicies + iam:ListRoles + kinesis:DescribeStreams + kinesis:ListStreams + lambda:AddPermission + lambda:CreateFunction + lambda:GetFunctionConfiguration + lambda:ListAliases + lambda:ListFunctions + lambda:ListVersionsByFunction + lambda:RemovePermission + s3:ListBuckets ## AWS managed (predefined) policies for CloudWatch Logs AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. The following AWS managed policies, which you can attach to users and roles in your account, are specific to CloudWatch Logs: + **CloudWatchLogsFullAccess** – Grants full access to CloudWatch Logs. + **CloudWatchLogsReadOnlyAccess** – Grants read-only access to CloudWatch Logs. ### CloudWatchLogsFullAccess The **CloudWatchLogsFullAccess** policy grants full access to CloudWatch Logs. The policy includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsFullAccess.html) in the *AWS Managed Policy Reference Guide*. ### CloudWatchLogsReadOnlyAccess The **CloudWatchLogsReadOnlyAccess** policy grants read-only access to CloudWatch Logs. It includes the `cloudwatch:GenerateQuery` and `cloudwatch:GenerateQueryResultsSummary` permissions, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. To see the full contents of the policy, see [CloudWatchLogsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*. ### CloudWatchOpenSearchDashboardsFullAccess The **CloudWatchOpenSearchDashboardsFullAccess** policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create delete and manage vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). To see the full contents of the policy, see [CloudWatchOpenSearchDashboardsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardsFullAccess.html) in the *AWS Managed Policy Reference Guide*. ### CloudWatchOpenSearchDashboardAccess The **CloudWatchOpenSearchDashboardAccess** policy grants access to view vended logs dashboards that are created with Amazon OpenSearch Service analytics. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). **Important** In addition to granting this policy, to enable a role or user to be able to view vended log dashboards, you must also specify them when you create the integration with OpenSearch Service. For more information, see [Step 1: Create the integration with OpenSearch Service](OpenSearch-Dashboards-Integrate.md). To see the full contents of the policy, see [CloudWatchOpenSearchDashboardAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchOpenSearchDashboardAccess.html) in the *AWS Managed Policy Reference Guide*. #### CloudWatchLogsCrossAccountSharingConfiguration The **CloudWatchLogsCrossAccountSharingConfiguration** policy grants access to create, manage, and view Observability Access Manager links for sharing CloudWatch Logs resources between accounts. For more information, see [ CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html). To see the full contents of the policy, see [CloudWatchLogsCrossAccountSharingConfiguration](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsCrossAccountSharingConfiguration.html) in the *AWS Managed Policy Reference Guide*. #### CloudWatchLogsAPIKeyAccess The **CloudWatchLogsAPIKeyAccess** policy enables CloudWatch Logs API key authentication and encrypted log ingestion. This policy grants permissions to authenticate using bearer tokens and write log events to CloudWatch Logs, with additional AWS KMS permissions for decrypting and generating data keys when logs are encrypted. This policy grants the following permissions: + `logs` – Allows principals to authenticate via API key bearer tokens and write log events to CloudWatch Logs streams. + `kms` – Allows principals to read AWS KMS key metadata, generate data keys for encryption, and decrypt data. These permissions support encrypted CloudWatch Logs by allowing the service to encrypt log data using customer-managed AWS KMS keys. Access is restricted to operations called through the CloudWatch Logs service. To view more details about the policy, including the latest version of the JSON policy document, see [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) in the *AWS Managed Policy Reference Guide*. ### CloudWatch Logs updates to AWS managed policies Policy updates View details about updates to AWS managed policies for CloudWatch Logs since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Logs Document history page. | Change | Description | Date | | --- | --- | --- | | [CloudWatchLogsAPIKeyAccess](#managed-policies-cwl-CloudWatchLogsAPIKeyAccess) – New policy. | CloudWatch Logs added a new managed policy **CloudWatchLogsAPIKeyAccess**. This policy enables CloudWatch Logs API key authentication and encrypted log ingestion, granting permissions to authenticate using bearer tokens and write log events to CloudWatch Logs. | February 17, 2026 | | [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**. Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations. | December 02, 2025 | | [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. Permissions for observability administration actions were added to allow read-only access to telemetry pipelines and S3 table integrations. | December 02, 2025 | | [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**. Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results. | May 20, 2025 | | [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. Permissions for `cloudwatch:GenerateQueryResultsSummary` were added to allow for generation of a natural language summary of the query results. | May 20, 2025 | | [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added permissions to **CloudWatchLogsFullAccess**. Permissions for Amazon OpenSearch Service and IAM were added, to enable CloudWatch Logs integration with OpenSearch Service for some features. | December 1, 2024 | | [CloudWatchOpenSearchDashboardsFullAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardsFullAccess) – New IAM policy. | CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardsFullAccess**.- This policy grants access to create, manage, and delete integrations with OpenSearch Service, and to create, manage, and delete vended log dashboards in those integrations. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). | December 1, 2024 | | [CloudWatchOpenSearchDashboardAccess](#managed-policies-cwl-CloudWatchOpenSearchDashboardAccess) – New IAM policy. | CloudWatch Logs added a new IAM policy, **CloudWatchOpenSearchDashboardAccess**.- This policy grants access to view vended logs dashboards powered by Amazon OpenSearch Service. For more information, see [Analyze with Amazon OpenSearch Service](CloudWatchLogs-OpenSearch-Dashboards.md). | December 1, 2024 | | [CloudWatchLogsFullAccess](#managed-policies-cwl-CloudWatchLogsFullAccess) – Update to an existing policy. | CloudWatch Logs added a permission to **CloudWatchLogsFullAccess**. The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. | November 27, 2023 | | [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy. | CloudWatch added a permission to **CloudWatchLogsReadOnlyAccess**. The `cloudwatch:GenerateQuery` permission was added, so that users with this policy can generate a [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) query string from a natural language prompt. | November 27, 2023 | | [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. The `logs:StartLiveTail` and `logs:StopLiveTail` permissions were added so that users with this policy can use the console to start and stop CloudWatch Logs live tail sessions. For more information, see [ Use live tail to view logs in near real time](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html). | June 6, 2023 | | [CloudWatchLogsCrossAccountSharingConfiguration](#managed-policies-cwl-CloudWatchLogsCrossAccountSharingConfiguration) – New policy | CloudWatch Logs added a new policy to enable you to manage CloudWatch cross-account observability links that share CloudWatch Logs log groups. For more information, see [ CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html) | November 27, 2022 | | [CloudWatchLogsReadOnlyAccess](#managed-policies-cwl-CloudWatchLogsReadOnlyAccess) – Update to an existing policy | CloudWatch Logs added permissions to **CloudWatchLogsReadOnlyAccess**. The `oam:ListSinks` and `oam:ListAttachedLinks` permissions were added so that users with this policy can use the console to view data shared from source accounts in CloudWatch cross-account observability. | November 27, 2022 | ### Customer managed policy examples You can create your own custom IAM policies to allow permissions for CloudWatch Logs actions and resources. You can attach these custom policies to the users or groups that require those permissions. In this section, you can find example user policies that grant permissions for various CloudWatch Logs actions. These policies work when you are using the CloudWatch Logs API, AWS SDKs, or the AWS CLI. **Topics** + [ #### Example 1: Allow full access to CloudWatch Logs ](#w2aac59c15c15c23c19b9) + [ #### Example 2: Allow read-only access to CloudWatch Logs ](#w2aac59c15c15c23c19c11) + [ #### Example 3: Allow access to one log group ](#w2aac59c15c15c23c19c13) #### Example 1: Allow full access to CloudWatch Logs The following policy allows a user to access all CloudWatch Logs actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:*" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ #### Example 2: Allow read-only access to CloudWatch Logs AWS provides a **CloudWatchLogsReadOnlyAccess** policy that enables read-only access to CloudWatch Logs data. This policy includes the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents", "logs:StartLiveTail", "logs:StopLiveTail", "cloudwatch:GenerateQuery" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ #### Example 3: Allow access to one log group The following policy allows a user to read and write log events in one specified log group. **Important** The `:*` at the end of the log group name in the `Resource` line is required to indicate that the policy applies to all log streams in this log group. If you omit `:*`, the policy will not be enforced. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:SampleLogGroupName:*" } ] } ``` ------ ### Use tagging and IAM policies for control at the log group level You can grant users access to certain log groups while preventing them from accessing other log groups. To do so, tag your log groups and use IAM policies that refer to those tags. To apply tags to a log group, you need to have either the `logs:TagResource` or `logs:TagLogGroup` permission. This applies both if you are assigning tags to the log group when you create it. or assigning them later. For more information about tagging log groups, see [Tag log groups in Amazon CloudWatch Logs](Working-with-log-groups-and-streams.md#log-group-tagging). When you tag log groups, you can then grant an IAM policy to a user to allow access to only the log groups with a particular tag. For example, the following policy statement grants access to only log groups with the value of `Green` for the tag key `Team`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:*" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/Team": "Green" } } } ] } ``` ------ The **StopQuery** and **StopLiveTail** API operations don't interact with AWS resources in the traditional sense. They don't return any data, put any data, or modify a resource in any way. Instead, they operate only on a given live tail session or a given CloudWatch Logs Insights query, which are not categorized as resources. As a result, when you specify the `Resource` field in IAM policies for these operations, you must set the value of the `Resource` field as `*`, as in the following example. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:StopQuery", "logs:StopLiveTail" ], "Resource": "*" } ] } ``` ------ For more information about using IAM policy statements, see [Controlling Access Using Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html) in the *IAM User Guide*. # CloudWatch Logs permissions reference When you are setting up [Access control](auth-and-access-control-cwl.md#access-control-cwl) and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each CloudWatch Logs API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's `Action` field. For the `Resource` field, you can specify the ARN of a log group or log stream, or specify `*` to represent all CloudWatch Logs resources. You can use AWS-wide condition keys in your CloudWatch Logs policies to express conditions. For a complete list of AWS-wide keys, see [AWS Global and IAM Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. **Note** To specify an action, use the `logs:` prefix followed by the API operation name. For example: `logs:CreateLogGroup`, `logs:CreateLogStream`, or `logs:*` (for all CloudWatch Logs actions). **CloudWatch Logs API operations and required permissions for actions** | CloudWatch Logs API operations | Required permissions (API actions) | | --- | --- | | [CancelExportTask](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CancelExportTask.html) | `logs:CancelExportTask` Required to cancel a pending or running export task. | | [CreateExportTask](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateExportTask.html) | `logs:CreateExportTask` Required to export data from a log group to an Amazon S3 bucket. | | [CreateLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html) | `logs:CreateLogGroup` Required to create a new log group. | | [CreateLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogStream.html) | `logs:CreateLogStream` Required to create a new log stream in a log group. | | [DeleteDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDestination.html) | `logs:DeleteDestination` Required to delete a log destination and disables any subscription filters to it. | | [DeleteLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html) | `logs:DeleteLogGroup` Required to delete a log group and any associated archived log events. | | [DeleteLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html) | `logs:DeleteLogStream` Required to delete a log stream and any associated archived log events. | | [DeleteMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteMetricFilter.html) | `logs:DeleteMetricFilter` Required to delete a metric filter associated with a log group. | | [DeleteQueryDefinition](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteQueryDefinition.html) | `logs:DeleteQueryDefinition` Required to delete a saved query definition in CloudWatch Logs Insights. | | [DeleteResourcePolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteResourcePolicy.html) | `logs:DeleteResourcePolicy` Required to delete a CloudWatch Logs resource policy. | | [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) | `logs:DeleteRetentionPolicy` Required to delete a log group's retention policy. | | [DeleteSubscriptionFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteSubscriptionFilter.html) | `logs:DeleteSubscriptionFilter` Required to delete the subscription filter associated with a log group. | | [DescribeDestinations](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDestinations.html) | `logs:DescribeDestinations` Required to view all destinations associated with the account. | | [DescribeExportTasks](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeExportTasks.html) | `logs:DescribeExportTasks` Required to view all export tasks associated with the account. | | [DescribeLogGroups](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogGroups.html) | `logs:DescribeLogGroups` Required to view all log groups associated with the account. | | [DescribeLogStreams](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogStreams.html) | `logs:DescribeLogStreams` Required to view all log streams associated with a log group. | | [DescribeMetricFilters](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeMetricFilters.html) | `logs:DescribeMetricFilters` Required to view all metrics associated with a log group. | | [DescribeQueryDefinitions](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeQueryDefinitions.html) | `logs:DescribeQueryDefinitions` Required to see the list of saved query definitions in CloudWatch Logs Insights. | | [DescribeQueries](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeQueries.html) | `logs:DescribeQueries` Required to see the list of CloudWatch Logs Insights queries that are scheduled, executing, or have recently excecuted. | | [DescribeResourcePolicies](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeResourcePolicies.html) | `logs:DescribeResourcePolicies` Required to view a list of CloudWatch Logs resource policies. | | [DescribeSubscriptionFilters](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeSubscriptionFilters.html) | `logs:DescribeSubscriptionFilters` Required to view all subscription filters associated with a log group. | | [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) | `logs:FilterLogEvents` Required to sort log events by log group filter pattern. | | [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) | `logs:GetLogEvents` Required to retrieve log events from a log stream. | | [GetLogGroupFields](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogGroupFields.html) | `logs:GetLogGroupFields` Required to retrieve the list of fields that are included in the log events in a log group. | | [GetLogRecord](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogRecord.html) | `logs:GetLogRecord` Required to retrieve the details from a single log event. | | [GetLogObject](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogObject.html) | `logs:GetLogRecord` Required to fetch the content of large portions of log events that have been ingested through the PutOpenTelemetryLogs API. | | [GetQueryResults](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetQueryResults.html) | `logs:GetQueryResults` Required to retrieve the results of CloudWatch Logs Insights queries. | | ListEntitiesForLogGroup (CloudWatch console-only permission) | `logs:ListEntitiesForLogGroup` Required to find the entities associated with a log group. Required to explore related logs within the CloudWatch console. | | ListLogGroupsForEntity (CloudWatch console-only permission) | `logs:ListLogGroupsForEntity` Required to find the log groups associated with an entity. Required to explore related logs within the CloudWatch console. | | [ListTagsLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ListTagsLogGroup.html) | `logs:ListTagsLogGroup` Required to list the tags associated with a log group. | | [ListLogGroups](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_API_ListLogGroups.html) | `logs:DescribeLogGroups` Required to view all log groups associated with the account. | | [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) | `logs:PutDestination` Required to create or update a destination log stream (such as an Kinesis stream). | | [PutDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestinationPolicy.html) | `logs:PutDestinationPolicy` Required to create or update an access policy associated with an existing log destination. | | [PutLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html) | `logs:PutLogEvents` Required to upload a batch of log events to a log stream. | | [PutMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutMetricFilter.html) | `logs:PutMetricFilter` Required to create or update a metric filter and associate it with a log group. | | [PutQueryDefinition](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutQueryDefinition.html) | `logs:PutQueryDefinition` Required to save a query in CloudWatch Logs Insights, including saved queries with parameters. | | [PutResourcePolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutResourcePolicy.html) | `logs:PutResourcePolicy` Required to create a CloudWatch Logs resource policy. | | [PutRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html) | `logs:PutRetentionPolicy` Required to set the number of days to keep log events (retention) in a log group. | | [PutSubscriptionFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutSubscriptionFilter.html) | `logs:PutSubscriptionFilter` Required to create or update a subscription filter and associate it with a log group. | | [StartQuery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartQuery.html) | `logs:StartQuery` Required to start CloudWatch Logs Insights queries. To run a saved query with parameters, you also need `logs:DescribeQueryDefinitions`. | | [StopQuery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StopQuery.html) | `logs:StopQuery` Required to stop a CloudWatch Logs Insights query that is in progress. | | [TagLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TagLogGroup.html) | `logs:TagLogGroup` Required to add or update log group tags. | | [TestMetricFilter](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_TestMetricFilter.html) | `logs:TestMetricFilter` Required to test a filter pattern against a sampling of log event messages. | # Using service-linked roles for CloudWatch Logs Using service-linked roles Amazon CloudWatch Logs uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html). A service-linked role is a unique type of IAM role that is linked directly to CloudWatch Logs. Service-linked roles are predefined by CloudWatch Logs and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up CloudWatch Logs more efficient because you aren't required to manually add the necessary permissions. CloudWatch Logs defines the permissions of its service-linked roles, and unless defined otherwise, only CloudWatch Logs can assume those roles. The defined permissions include the trust policy and the permissions policy. That permissions policy cannot be attached to any other IAM entity. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. ## Service-linked role permissions for CloudWatch Logs CloudWatch Logs uses the service-linked role named **AWSServiceRoleForLogDelivery**. CloudWatch Logs uses this service-linked role to write logs directly to Firehose. For more information, see [Enable logging from AWS services](AWS-logs-and-resource-policy.md). The **AWSServiceRoleForLogDelivery** service-linked role trusts the following services to assume the role: + `logs.amazonaws.com` The role permissions policy allows CloudWatch Logs to complete the following actions on the specified resources: + Action: `firehose:PutRecord` and `firehose:PutRecordBatch` on all Firehose streams that have a tag with a `LogDeliveryEnabled` key with a value of `True`. This tag is automatically attached to an Firehose stream when you create a subscription to deliver the logs to Firehose. You must configure permissions to allow an IAM entity to create, edit, or delete a service-linked role. This entity could be a user, group, or role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a service-linked role for CloudWatch Logs You aren't required to manually create a service-linked role. When you set up logs to be sent directly to a Firehose stream in the AWS Management Console, the AWS CLI, or the AWS API, CloudWatch Logs creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you again set up logs to be sent directly to a Firehose stream, CloudWatch Logs creates the service-linked role for you again. ## Editing a service-linked role for CloudWatch Logs CloudWatch Logs does not allow you to edit **AWSServiceRoleForLogDelivery**, or any other service-linked role, after you create it. You cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a service-linked role for CloudWatch Logs If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. **Note** If the CloudWatch Logs service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To delete CloudWatch Logs resources used by the **AWSServiceRoleForLogDelivery** service-linked role** + Stop sending logs directly to Firehose streams. **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the **AWSServiceRoleForLogDelivery** service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) ### Supported Regions for CloudWatch Logs service-linked roles CloudWatch Logs supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [CloudWatch Logs Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#cwl_region). # CloudWatch Logs updates to AWS service linked roles Policy updates View details about updates to AWS service linked role for CloudWatch Logs since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CloudWatch Logs Document history page. | Change | Description | Date | | --- | --- | --- | | [ AWSServiceRoleForLogDelivery service-linked role policy](AWS-logs-infrastructure-Firehose.md) – Update to an existing policy | CloudWatch Logs changed the permissions in the IAM policy associated with the **AWSServiceRoleForLogDelivery** service-linked role. The following change was made: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cwl-slrpolicy-updates.html) | July 15, 2021 | | CloudWatch Logs started tracking changes | CloudWatch Logs started tracking changes for its AWS managed policies. | June 10, 2021 | # Compliance validation for Amazon CloudWatch Logs Compliance validation To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html). Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/). # Resilience in Amazon CloudWatch Logs Resilience The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). # Infrastructure security in Amazon CloudWatch Logs Infrastructure security As a managed service, Amazon CloudWatch Logs is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*. You use AWS published API calls to access CloudWatch Logs through the network. Clients must support the following: + Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. + Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. # Using CloudWatch Logs with interface VPC endpoints Interface VPC endpoints If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and CloudWatch Logs. You can use this connection to send logs to CloudWatch Logs without sending them through the internet. CloudWatch Logs supports IPv4 VPC endpoints in all Regions, and supports IPv6 endpoints in all Regions. Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways. To connect your VPC to CloudWatch Logs, you define an *interface VPC endpoint* for CloudWatch Logs. This type of endpoint enables you to connect your VPC to AWS services. The endpoint provides reliable, scalable connectivity to CloudWatch Logs without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see [What is Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/) in the *Amazon VPC User Guide*. Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information, see [New – AWS PrivateLink for AWS Services](https://aws.amazon.com/blogs/aws/new-aws-privatelink-endpoints-kinesis-ec2-systems-manager-and-elb-apis-in-your-vpc/). The following steps are for users of Amazon VPC. For more information, see [Getting Started](https://docs.aws.amazon.com/vpc/latest/userguide/GetStarted.html) in the *Amazon VPC User Guide*. ## Availability CloudWatch Logs currently supports VPC endpoints in all AWS Regions, including the AWS GovCloud (US) Regions. ## Creating a VPC endpoint for CloudWatch Logs To start using CloudWatch Logs with your VPC, create an interface VPC endpoint for CloudWatch Logs. The service to choose is **com.amazonaws.*Region*.logs**. To connect with a FIPS endpoint, the service to choose is `com.amazonaws.Region.logs-fips`. You do not need to change any settings for CloudWatch Logs. For more information, see [Creating an Interface Endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint.html) in the *Amazon VPC User Guide*. Some CloudWatch Logs APIs, such as StartLiveTail and GetLogObject, are hosted under a different endpoint and VPC endpoint: `stream-logs.Region.amazonaws.com`. To create an interface VPC endpoint for these APIs, the service to choose is **com.amazonaws.*Region*.stream-logs**. To connect with a FIPS endpoint, the service to choose is `com.amazonaws.Region.stream-logs-fips`. ## Testing the connection between your VPC and CloudWatch Logs After you create the endpoint, you can test the connection. **To test the connection between your VPC and your CloudWatch Logs endpoint** 1. Connect to an Amazon EC2 instance that resides in your VPC. For information about connecting, see [Connect to Your Linux Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpce-interface.html#create-interface-endpoint.html) or [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the Amazon EC2 documentation. 1. From the instance, use the AWS CLI to create a log entry in one of your existing log groups. First, create a JSON file with a log event. The timestamp must be specified as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. ``` [ { "timestamp": 1533854071310, "message": "VPC Connection Test" } ] ``` Then, use the `put-log-events` command to create the log entry: ``` aws logs put-log-events --log-group-name LogGroupName --log-stream-name LogStreamName --log-events file://JSONFileName ``` If the response to the command includes `nextSequenceToken`, the command has succeeded and your VPC endpoint is working. ## Controlling access to your CloudWatch Logs VPC endpoint A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you don't attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. An endpoint policy doesn't override or replace IAM policies or service-specific policies. It's a separate policy for controlling access from the endpoint to the specified service. Endpoint policies must be written in JSON format. For more information, see [Controlling Access to Services with VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. The following is an example of an endpoint policy for CloudWatch Logs. This policy enables users connecting to CloudWatch Logs through the VPC to create log streams and send logs to CloudWatch Logs, and prevents them from performing other CloudWatch Logs actions. ``` { "Statement": [ { "Sid": "PutOnly", "Principal": "*", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } ``` **To modify the VPC endpoint policy for CloudWatch Logs** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Endpoints**. 1. If you have not already created the endpoint for CloudWatch Logs, choose **Create Endpoint**. Then select **com.amazonaws.*Region*.logs** and choose **Create endpoint**. 1. Select the **com.amazonaws.*Region*.logs** endpoint, and choose the **Policy** tab in the lower half of the screen. 1. Choose **Edit Policy** and make the changes to the policy. ## Support for VPC context keys CloudWatch Logs supports the `aws:SourceVpc` and `aws:SourceVpce` context keys that can limit access to specific VPCs or specific VPC endpoints. These keys work only when the user is using VPC endpoints. For more information, see [Keys Available for Some Services](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-service-available) in the *IAM User Guide*.