有人知道如何设置对特定日志组的只读访问吗?
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "logs" {
group = "${aws_iam_group.logs.name}"
policy_arn = "${aws_iam_policy.logs.arn}"
}
resource "aws_iam_group" "logs" {
name = "${title(var.product)}Logs"
}
我目前正在努力设置仅对指定的日志组具有访问权限,但是仅当我将资源设置为“ *”时,才能访问它们。当我将其设置为预定义的日志组时,这是不可能的。有人有良好的做法或解决方案吗?当我在上面尝试此解决方案时,我只会得到
未经授权执行:logs:FilterLogEvents ,当我尝试通过属于IAM组“日志”的用户访问它时。
答案 0 :(得分:1)
aws_cloudwatch_log_group.one.arn已经是one日志组的完整ARN,即
arn:aws:logs:us-east-1:123456789012:log-group:one
因此,仅引用Resources列表中的内容:
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}