CloudWatch Logs permissions reference

When you are setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each CloudWatch Logs API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field. For the Resource field, you can specify the ARN of a log group or log stream, or specify * to represent all CloudWatch Logs resources.

You can use AWS-wide condition keys in your CloudWatch Logs policies to express conditions. For a complete list of AWS-wide keys, see AWS Global and IAM Condition Context Keys in the IAM User Guide.

Note

To specify an action, use the logs: prefix followed by the API operation name. For example: logs:CreateLogGroup, logs:CreateLogStream, or logs:* (for all CloudWatch Logs actions).

CloudWatch Logs API operations and required permissions for actions
CloudWatch Logs API operations	Required permissions (API actions)
CancelExportTask	`logs:CancelExportTask` Required to cancel a pending or running export task.
CreateExportTask	`logs:CreateExportTask` Required to export data from a log group to an Amazon S3 bucket.
CreateLogGroup	`logs:CreateLogGroup` Required to create a new log group.
CreateLogStream	`logs:CreateLogStream` Required to create a new log stream in a log group.
DeleteDestination	`logs:DeleteDestination` Required to delete a log destination and disables any subscription filters to it.
DeleteLogGroup	`logs:DeleteLogGroup` Required to delete a log group and any associated archived log events.
DeleteLogStream	`logs:DeleteLogStream` Required to delete a log stream and any associated archived log events.
DeleteMetricFilter	`logs:DeleteMetricFilter` Required to delete a metric filter associated with a log group.
DeleteQueryDefinition	`logs:DeleteQueryDefinition` Required to delete a saved query definition in CloudWatch Logs Insights.
DeleteResourcePolicy	`logs:DeleteResourcePolicy` Required to delete a CloudWatch Logs resource policy.
DeleteRetentionPolicy	`logs:DeleteRetentionPolicy` Required to delete a log group's retention policy.
DeleteSubscriptionFilter	`logs:DeleteSubscriptionFilter` Required to delete the subscription filter associated with a log group.
DescribeDestinations	`logs:DescribeDestinations` Required to view all destinations associated with the account.
DescribeExportTasks	`logs:DescribeExportTasks` Required to view all export tasks associated with the account.
DescribeLogGroups	`logs:DescribeLogGroups` Required to view all log groups associated with the account.
DescribeLogStreams	`logs:DescribeLogStreams` Required to view all log streams associated with a log group.
DescribeMetricFilters	`logs:DescribeMetricFilters` Required to view all metrics associated with a log group.
DescribeQueryDefinitions	`logs:DescribeQueryDefinitions` Required to see the list of saved query definitions in CloudWatch Logs Insights.
DescribeQueries	`logs:DescribeQueries` Required to see the list of CloudWatch Logs Insights queries that are scheduled, executing, or have recently excecuted.
DescribeResourcePolicies	`logs:DescribeResourcePolicies` Required to view a list of CloudWatch Logs resource policies.
DescribeSubscriptionFilters	`logs:DescribeSubscriptionFilters` Required to view all subscription filters associated with a log group.
FilterLogEvents	`logs:FilterLogEvents` Required to sort log events by log group filter pattern.
GetLogEvents	`logs:GetLogEvents` Required to retrieve log events from a log stream.
GetLogGroupFields	`logs:GetLogGroupFields` Required to retrieve the list of fields that are included in the log events in a log group.
GetLogRecord	`logs:GetLogRecord` Required to retrieve the details from a single log event.
GetQueryResults	`logs:GetQueryResults` Required to retrieve the results of CloudWatch Logs Insights queries.
ListTagsLogGroup	`logs:ListTagsLogGroup` Required to list the tags associated with a log group.
PutDestination	`logs:PutDestination` Required to create or update a destination log stream (such as an Kinesis stream).
PutDestinationPolicy	`logs:PutDestinationPolicy` Required to create or update an access policy associated with an existing log destination.
PutLogEvents	`logs:PutLogEvents` Required to upload a batch of log events to a log stream.
PutMetricFilter	`logs:PutMetricFilter` Required to create or update a metric filter and associate it with a log group.
PutQueryDefinition	`logs:PutQueryDefinition` Required to save a query in CloudWatch Logs Insights.
PutResourcePolicy	`logs:PutResourcePolicy` Required to create a CloudWatch Logs resource policy.
PutRetentionPolicy	`logs:PutRetentionPolicy` Required to set the number of days to keep log events (retention) in a log group.
PutSubscriptionFilter	`logs:PutSubscriptionFilter` Required to create or update a subscription filter and associate it with a log group.
StartQuery	`logs:StartQuery` Required to start CloudWatch Logs Insights queries.
StopQuery	`logs:StopQuery` Required to stop a CloudWatch Logs Insights query that is in progress.
TagLogGroup	`logs:TagLogGroup` Required to add or update log group tags.
TestMetricFilter	`logs:TestMetricFilter` Required to test a filter pattern against a sampling of log event messages.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using identity-based policies (IAM policies)

Using service-linked roles