Product logo
DocsBlogPricing

Permissions for @turbot/aws-logs

Taking a look at permissions and associated grant levels for each permission for Logs:

PermissionGrant LevelHelp
logs:AssociateKmsKeyAdminAssociates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group.
logs:CancelExportTaskOperator
logs:CreateDeliveryAdmin
logs:CreateExportTaskOperator
logs:CreateLogAnomalyDetectorAdmin
logs:CreateLogDeliveryAdmin
logs:CreateLogGroupAdmin
logs:CreateLogStreamOperatorOperators can create but cannot delete streams. (Deletion of stream deletes the events in it.)
logs:DeleteAccountPolicyAdmin
logs:DeleteDataProtectionPolicyAdmin
logs:DeleteDeliveryAdmin
logs:DeleteDeliveryDestinationAdmin
logs:DeleteDeliveryDestinationPolicyAdmin
logs:DeleteDeliverySourceAdmin
logs:DeleteDestinationAdminAdmins can delete a Destination.
logs:DeleteLogAnomalyDetectorAdmin
logs:DeleteLogDeliveryAdmin
logs:DeleteLogGroupAdmin
logs:DeleteLogStreamAdmin
logs:DeleteMetricFilterOperator
logs:DeleteQueryDefinitionAdmin
logs:DeleteResourcePolicyAdminIf resourcce policy is deleted then this revokes the access of the identities in that policy to put log events to this account.
logs:DeleteRetentionPolicyAdmin
logs:DeleteSubscriptionFilterAdminSafe for admin since it requires an associated IAM role which is controlled by Turbot.
logs:DescribeAccountPoliciesMetadata
logs:DescribeDeliveriesMetadata
logs:DescribeDeliveryDestinationsMetadata
logs:DescribeDeliverySourcesMetadata
logs:DescribeDestinationsMetadata
logs:DescribeExportTasksMetadata
logs:DescribeLogGroupsMetadata
logs:DescribeLogStreamsMetadata
logs:DescribeMetricFiltersMetadata
logs:DescribeQueriesMetadata
logs:DescribeQueryDefinitionsMetadata
logs:DescribeResourcePoliciesMetadataLists the resource policies in this account.
logs:DescribeSubscriptionFiltersMetadata
logs:DisassociateKmsKeyAdminDisassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group.
logs:FilterLogEventsReadOnly
logs:GetDataProtectionPolicyMetadata
logs:GetDeliveryMetadata
logs:GetDeliveryDestinationMetadata
logs:GetDeliveryDestinationPolicyMetadata
logs:GetDeliverySourceMetadata
logs:GetLogAnomalyDetectorMetadata
logs:GetLogEventsReadOnly
logs:GetLogGroupFieldsMetadata
logs:GetLogRecordMetadata
logs:GetQueryResultsMetadata
logs:LinkMetadata
logs:ListAnomaliesMetadata
logs:ListLogAnomalyDetectorsMetadata
logs:ListTagsForResourceMetadata
logs:ListTagsLogGroupMetadata
logs:PutAccountPolicyAdmin
logs:PutDataProtectionPolicyAdmin
logs:PutDeliveryDestinationAdmin
logs:PutDeliveryDestinationPolicyAdmin
logs:PutDeliverySourceAdmin
logs:PutDestinationAdminAdmins can create or update a Destination. Currently only supported physical resource is a Kinesis stream belonging to the same account as the destination.
logs:PutDestinationPolicyAdminAdmins can create or update an access policy associated with an existing destination.
logs:PutLogEventsOperator
logs:PutMetricFilterOperator
logs:PutQueryDefinitionAdmin
logs:PutResourcePolicyAdminCreates or updates a resource policy allowing other AWS services (within the account) to put log events to this account such as Amazon Route 53. An account can have up to 10 resource policies per region.
logs:PutRetentionPolicyAdmin
logs:PutSubscriptionFilterAdminSafe for admin since it requires an associated IAM role which is controlled by Turbot.
logs:StartLiveTailAdmin
logs:StartQueryOperator
logs:StopLiveTailAdmin
logs:StopQueryOperator
logs:TagLogGroupOperatorOperators can manage log group tags.
logs:TagResourceOperator
logs:TestMetricFilterOperator
logs:UnmaskAdmin
logs:UntagLogGroupOperatorOperators can manage log group tags.
logs:UntagResourceOperator
logs:UpdateAnomalyAdmin
logs:UpdateLogAnomalyDetectorAdmin
logs:UpdateLogDeliveryAdmin