amazon-ssm-agent requires logs:DescribeLogGroups when its log streaming feature is enabled

Created on 19 Aug 2019  路  3Comments  路  Source: aws/amazon-ssm-agent

As far as I checked, amazon-ssm-agent requires logs:DescribeLogGroups when its log streaming feature is enabled.
It means all users connect to an EC2 instance via Session Manager can list up all the CloudWatch Log Groups in the AWS account.
In my case, I don't let users know this information.

I want to know the reason that amazon-ssm-agent requires logs:DescribeLogGroups.

PS: If there are any misunderstandings, please let me know.

Most helpful comment

I can confirm that session manager logs aren't written to the Cloudwatch Loggroup without logs:DescribeLogGroups action allowed on all loggroups:

      - PolicyName: logs
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Action:
              - logs:CreateLogStream
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*'
              Effect: Allow
            - Action:
              - logs:PutLogEvents
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*:*'
              Effect: Allow
            - Action:
              - logs:DescribeLogGroups
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*'
              Effect: Allow

I think this is a bug and the issue should be re-opened.
If you have to have this perm at least lock it to the Session Manager Loggroup!

All 3 comments

Hi enm10k@,

The agent calls logs:DescribeLogGroups API to check if the log group name provided by the customer is present before the session starts. The session fails to start if the log group is not present.

@sumohite @shihuazhang

The agent calls logs:DescribeLogGroups API to check if the log group name provided by the customer is present before the session starts. The session fails to start if the log group is not present.

If this is the only reason, is there a possibility to confirm it in other ways like sending a test message?

As I described before, I don't want to grant logs:DescribeLogGroups.
It's too powerfull for my use case.

I'm willing to send a pr.
Let me know your opinion.

I can confirm that session manager logs aren't written to the Cloudwatch Loggroup without logs:DescribeLogGroups action allowed on all loggroups:

      - PolicyName: logs
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Action:
              - logs:CreateLogStream
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*'
              Effect: Allow
            - Action:
              - logs:PutLogEvents
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:session-manager-SessionLogGroup*:*:*'
              Effect: Allow
            - Action:
              - logs:DescribeLogGroups
              Resource:
              - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*'
              Effect: Allow

I think this is a bug and the issue should be re-opened.
If you have to have this perm at least lock it to the Session Manager Loggroup!

Was this page helpful?
0 / 5 - 0 ratings