AWS CloudWatch Logs (IAM)

aws monitoring

Amazon CloudWatch Logs centralizes logs from AWS services and applications for monitoring and troubleshooting.

Common permissions

logs:CreateLogGrouplogs:DeleteLogGrouplogs:CreateLogStreamlogs:DeleteLogStreamlogs:PutLogEventslogs:GetLogEventslogs:StartQuerylogs:StopQuery

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:DeleteLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogStream",
        "logs:PutLogEvents",
        "logs:GetLogEvents",
        "logs:StartQuery",
        "logs:StopQuery"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid logs:* — grants full control including deletion of log groups and streams.
Avoid logs:PutLogEvents without conditions — can lead to excessive log ingestion costs.

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/logs/logs.json ↗

API

full doc /v1/iam/logs