Check if we need to update any policies for upcoming Cloudwatch changes #178
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are contacting you because we have identified that your AWS account currently uses Amazon CloudWatch Logs and will be impacted by an upcoming change in our authorization strategy.
Currently, the FilterLogEvents action also controls access to the StartQuery, StopQuery, DescribeQueries, GetLogGroupFields, GetLogRecord and GetQueryResults APIs in CloudWatch Logs Insights. After May 15, 2023, FilterLogEvents will no longer control access to these other APIs. Therefore, we recommend you change your inline IAM policies to authorize specific actions to control access of these APIs in addition to FilterLogEvents permission before this date. The new authorization strategy will not be applied for existing accounts that previously used the affected APIs with FilterLogEvents permission.
The following is an example of an IAM policy that will allow permission for seven actions that include FilterLogEvents, StartQuery, StopQuery, DescribeQueries, GetLogGroupFields, GetLogRecord and GetQueryResults.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:FilterLogEvents", "logs:StartQuery", "logs:StopQuery", "logs:DescribeQueries", "logs:GetLogGroupFields", "logs:GetLogRecord", "logs:GetQueryResults" ], "Effect": "Allow", "Resource": "*" } ] }Please refer to our documentation to learn more about recommended inline and managed policies [1][2].
If you have any questions or concerns, please reach out to AWS Support [3].
[1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html
[2] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html
[3] https://aws.amazon.com/support
The text was updated successfully, but these errors were encountered: