我目前的Lambda函数策略如下:
{"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>:*",
"Effect": "Allow"
}
]}
我注意到CloudWatch日志中缺少部分打印日志,当我将其带入策略模拟器并尝试在以下资源上运行CloudWatch CreateLogStream和PutLogEvent操作时,
arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>和arn:aws:logs:us-east-1:<MY_ACCOUNT_NUMBER:log-group:/<MY>/<LOGGING>/<DIR>:log-stream:<MY>/<LOG>/<STREAM> ,我收到了权限错误:Denied Implicitly denied (no matching statements).
我注意到当我将策略中的Resource更改为不包含尾随:*时(因此它看起来像这样:"Resource": "arn:aws:logs:us-east-1:<MY-ACCOUNT-NUMBER>:log-group:/<MY>/<LOGGING>/<DIR>", CreateLogStream操作正常。但是,PutLogEvents由于权限,操作仍然失败。
如果有人能指出我正确的方向,为什么这个政策不适用于模拟器我会非常感激,因为我完全失去了。
答案 0 :(得分:0)
应尽可能减少在资源中使用通配符。
我建议使用以下策略尝试授予最低限度的必要访问权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:DescribeLogStreams",
"Resource": "arn:aws:logs:us-east-1:<ACCOUNT-ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>",
"arn:aws:logs:us-east-1:<ACCOUNT-ID>:log-group:/aws/lambda/<LAMBDA-FUNCTION-NAME>:log-stream:*",
]
}
]
}