Additional permissions for log delivery
If you configure log delivery on the Replicator, append the appropriate statements below to the base policy. You only need the snippets for the destinations you enable.
Amazon CloudWatch Logs destination
Append the following statement when cloudWatchLogs.enabled is true in the logDelivery configuration.
{ "Sid": "CloudWatchLogsLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups", "logs:ListLogDeliveries" ], "Resource": [ "*" ] }
Amazon S3 destination
Append the following statements when s3.enabled is true. Replace <logBucketName> with your destination bucket name.
[ { "Sid": "S3LogDeliveryActions", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ] }, { "Sid": "S3BucketLogDeliveryActions", "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::<logBucketName>" } ]
Firehose destination
Append the following statements when firehose.enabled is true. Replace <accountID> with your AWS account ID.
[ { "Sid": "FirehoseLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:ListLogDeliveries", "firehose:TagDeliveryStream" ], "Resource": [ "*" ] }, { "Sid": "FirehoseLogDeliveryServiceLinkedRole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery" } ]
For more information about vended-logs permissions, see Enabling logging from AWS services.
