0

I created an IAM Identity Center permission set and group. The permission set attached to the group only allows the users inside the group to view CloudWatch logs generated by a specific account (our Crypto account), the statement looks like this:

Note: The statement with the ID "DescribeCryptoTrail" limits the user to only view logs from our Crypto account.

"Statement": 
    {
        "Sid": "DescribeCryptoTrail",
        "Action": "logs:GetLogEvents",
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
        
    }

This works well since the user gets a permission denied error when he tries to view logs from a different account, but now my concern is how do I limit access to the queries the users can return in CloudWatch Logs Insights? For example, the users in the Crypto-Access group should only be able to return queries that were generated by the Crypto account.

So far, I have tried using statements such as:

        {
        "Sid": "AdditionalPermissions",
        "Action": [
            "logs:FilterLogEvents"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
        ]
    },
    {
        "Sid": "AdditionalPermissionsTwo",
        "Action": [
            "logs:DescribeQueryDefinitions"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
        ]
    }

This is a similar approach as to what worked for granting access to the CloudWatch logs, but this time it seems I need to grant access to the entire log group judging from the error:

not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:* because no identity-based policy allows the logs:FilterLogEvents action

This indicates that I need to provide access to the main log group, I can't limit it to a specific path in the log group.

Is there any other way I can force query results based on the IAM policy, or maybe a way I can require a user to include a filter in the query such as filter recipientAccountId = "CRYPTO-ACCOUNT-ID"

Thanks in advance

Tegue Morrison
  • 21
  • 4

0 Answers0