Cloudformation-coverage-roadmap: AWS::Logs::PutResourcePolicy

Created on 5 Nov 2019  路  11Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

Scope of request

AWS::Logs::PutResourcePolicy would handle the CW Logs PutResourcePolicy API call

Expected behavior

Pretty straight forward - create/update/delete the policy. Ideally be able to skip the PolicyName and have it auto-generate based off the logical name like S3 bucket names do.

Helpful Links to speed up research and evaluation

API Doc: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutResourcePolicy.html

Category

Management & Governance

management & governance
Source
picture natefox
👍81

Most helpful comment

I would just like to register that implementing this suggestion would increase the value introduced with the addition of LogPublishingOptions to elasticsearch domain resources (issue #54 ).

Though it's now possible via CloudFormation to create and connect domains with log groups, stack creations / updates fail if you haven't previously "prepped" your account by running a cli command to grant privileges to the es.amazonaws.com service, like ...

aws logs put-resource-policy --policy-name elasticsearch-logging --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "es.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutLogEventsBatch" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/aes/domains/*:*" } ] }'
picture rhbecker on 30 Dec 2019
21

All 11 comments

I would just like to register that implementing this suggestion would increase the value introduced with the addition of LogPublishingOptions to elasticsearch domain resources (issue #54 ).

Though it's now possible via CloudFormation to create and connect domains with log groups, stack creations / updates fail if you haven't previously "prepped" your account by running a cli command to grant privileges to the es.amazonaws.com service, like ...

aws logs put-resource-policy --policy-name elasticsearch-logging --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "es.amazonaws.com" ] }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutLogEventsBatch" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/aes/domains/*:*" } ] }'
rhbecker picture rhbecker on 30 Dec 2019
21

Not having this feature makes it impossible to construct a Route 53 DNS Hosted Zone with logging entirely in CloudFormation, which is practically a requirement for adoption by our team. Please add this soon!

dentonmwood picture dentonmwood on 2 Feb 2021
👍3

totally defeats the purpose of having LogPublishingOptions for Elasticsearch in Cloudformation

aruandre picture aruandre on 24 Mar 2021
👍4

+1 to this. Please add this to CF

vkamathb picture vkamathb on 1 Apr 2021

+1 LogPublishingOptions for Elasticsearch in Cloudformation is unusable without it

mgiannos picture mgiannos on 21 Apr 2021
👍2

+1 to this. Please add to CF

exploitation-dve picture exploitation-dve on 3 May 2021
👍2

+1 for the Elasticsearch LogPublishingOptions scenario. I'm actively watching this to avoid the need of a lambda-backed CloudFormation custom resource.

quinton-j picture quinton-j on 10 May 2021

+1 I have auditors requiring this and would really rather avoid implementing lambda backed custom resources where possible

GrayMatterConsulting picture GrayMatterConsulting on 3 Jun 2021

+1 ! :)

pproux picture pproux on 4 Jun 2021

Add this feature for ElasticSearch

Insidexa picture Insidexa on 8 Jun 2021

I need this for Route53 query logging in the CDK.

myron-semack picture myron-semack on 17 Jun 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mweagle picture mweagle  路  3Comments
rjpereira picture rjpereira  路  4Comments
ghost picture ghost  路  4Comments
mildebrandt picture mildebrandt  路  3Comments
kdgregory picture kdgregory  路  3Comments