As far as I checked, amazon-ssm-agent requires logs:DescribeLogGroups when its log streaming feature is enabled.
It means all users connect to an EC2 instance via Session Manager can list up all the CloudWatch Log Groups in the AWS account.
In my case, I don't let users know this information.
I want to know the reason that amazon-ssm-agent requires logs:DescribeLogGroups.
PS: If there are any misunderstandings, please let me know.
Hi enm10k@,
The agent calls logs:DescribeLogGroups API to check if the log group name provided by the customer is present before the session starts. The session fails to start if the log group is not present.
@sumohite @shihuazhang
The agent calls logs:DescribeLogGroups API to check if the log group name provided by the customer is present before the session starts. The session fails to start if the log group is not present.
If this is the only reason, is there a possibility to confirm it in other ways like sending a test message?
As I described before, I don't want to grant logs:DescribeLogGroups.
It's too powerfull for my use case.
I'm willing to send a pr.
Let me know your opinion.
I can confirm that session manager logs aren't written to the Cloudwatch Loggroup without logs:DescribeLogGroups action allowed on all loggroups:
- PolicyName: logs
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- logs:CreateLogStream
Resource:
- !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*'
Effect: Allow
- Action:
- logs:PutLogEvents
Resource:
- !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*:*'
Effect: Allow
- Action:
- logs:DescribeLogGroups
Resource:
- !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*'
Effect: Allow
I think this is a bug and the issue should be re-opened.
If you have to have this perm at least lock it to the Session Manager Loggroup!
Most helpful comment
I can confirm that session manager logs aren't written to the Cloudwatch Loggroup without logs:DescribeLogGroups action allowed on all loggroups:
I think this is a bug and the issue should be re-opened.
If you have to have this perm at least lock it to the Session Manager Loggroup!