Permissions for @turbot/aws-logs
Taking a look at permissions and associated grant levels for each permission for Logs:
Permission | Grant Level | Help |
---|---|---|
logs:AssociateKmsKey | Admin | Associates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group. |
logs:CancelExportTask | Operator | |
logs:CreateDelivery | Admin | |
logs:CreateExportTask | Operator | |
logs:CreateLogAnomalyDetector | Admin | |
logs:CreateLogDelivery | Admin | |
logs:CreateLogGroup | Admin | |
logs:CreateLogStream | Operator | Operators can create but cannot delete streams. (Deletion of stream deletes the events in it.) |
logs:DeleteAccountPolicy | Admin | |
logs:DeleteDataProtectionPolicy | Admin | |
logs:DeleteDelivery | Admin | |
logs:DeleteDeliveryDestination | Admin | |
logs:DeleteDeliveryDestinationPolicy | Admin | |
logs:DeleteDeliverySource | Admin | |
logs:DeleteDestination | Admin | Admins can delete a Destination. |
logs:DeleteLogAnomalyDetector | Admin | |
logs:DeleteLogDelivery | Admin | |
logs:DeleteLogGroup | Admin | |
logs:DeleteLogStream | Admin | |
logs:DeleteMetricFilter | Operator | |
logs:DeleteQueryDefinition | Admin | |
logs:DeleteResourcePolicy | Admin | If resourcce policy is deleted then this revokes the access of the identities in that policy to put log events to this account. |
logs:DeleteRetentionPolicy | Admin | |
logs:DeleteSubscriptionFilter | Admin | Safe for admin since it requires an associated IAM role which is controlled by Turbot. |
logs:DescribeAccountPolicies | Metadata | |
logs:DescribeDeliveries | Metadata | |
logs:DescribeDeliveryDestinations | Metadata | |
logs:DescribeDeliverySources | Metadata | |
logs:DescribeDestinations | Metadata | |
logs:DescribeExportTasks | Metadata | |
logs:DescribeLogGroups | Metadata | |
logs:DescribeLogStreams | Metadata | |
logs:DescribeMetricFilters | Metadata | |
logs:DescribeQueries | Metadata | |
logs:DescribeQueryDefinitions | Metadata | |
logs:DescribeResourcePolicies | Metadata | Lists the resource policies in this account. |
logs:DescribeSubscriptionFilters | Metadata | |
logs:DisassociateKmsKey | Admin | Disassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group. |
logs:FilterLogEvents | ReadOnly | |
logs:GetDataProtectionPolicy | Metadata | |
logs:GetDelivery | Metadata | |
logs:GetDeliveryDestination | Metadata | |
logs:GetDeliveryDestinationPolicy | Metadata | |
logs:GetDeliverySource | Metadata | |
logs:GetLogAnomalyDetector | Metadata | |
logs:GetLogEvents | ReadOnly | |
logs:GetLogGroupFields | Metadata | |
logs:GetLogRecord | Metadata | |
logs:GetQueryResults | Metadata | |
logs:Link | Metadata | |
logs:ListAnomalies | Metadata | |
logs:ListLogAnomalyDetectors | Metadata | |
logs:ListTagsForResource | Metadata | |
logs:ListTagsLogGroup | Metadata | |
logs:PutAccountPolicy | Admin | |
logs:PutDataProtectionPolicy | Admin | |
logs:PutDeliveryDestination | Admin | |
logs:PutDeliveryDestinationPolicy | Admin | |
logs:PutDeliverySource | Admin | |
logs:PutDestination | Admin | Admins can create or update a Destination. Currently only supported physical resource is a Kinesis stream belonging to the same account as the destination. |
logs:PutDestinationPolicy | Admin | Admins can create or update an access policy associated with an existing destination. |
logs:PutLogEvents | Operator | |
logs:PutMetricFilter | Operator | |
logs:PutQueryDefinition | Admin | |
logs:PutResourcePolicy | Admin | Creates or updates a resource policy allowing other AWS services (within the account) to put log events to this account such as Amazon Route 53. An account can have up to 10 resource policies per region. |
logs:PutRetentionPolicy | Admin | |
logs:PutSubscriptionFilter | Admin | Safe for admin since it requires an associated IAM role which is controlled by Turbot. |
logs:StartLiveTail | Admin | |
logs:StartQuery | Operator | |
logs:StopLiveTail | Admin | |
logs:StopQuery | Operator | |
logs:TagLogGroup | Operator | Operators can manage log group tags. |
logs:TagResource | Operator | |
logs:TestMetricFilter | Operator | |
logs:Unmask | Admin | |
logs:UntagLogGroup | Operator | Operators can manage log group tags. |
logs:UntagResource | Operator | |
logs:UpdateAnomaly | Admin | |
logs:UpdateLogAnomalyDetector | Admin | |
logs:UpdateLogDelivery | Admin |