AWS CloudTrail IAM Permissions for Log Delivery

Create an AWS CloudTrail IAM Role: Key Permissions

Q: As an AWS system administrator, you need to create a new trail that should log both management events and data events in AWS CloudTrail.And the trail logs should be delivered to the log streams of a new CloudWatch Log group.To configure that, an IAM role is required for AWS CloudTrail to assume.Which of the following IAM permissions should the IAM role have? (Select TWO.)

logs:CreateLogStreamlogs:PutLogEvents

Prev Question Next Question

Question

As an AWS system administrator, you need to create a new trail that should log both management events and data events in AWS CloudTrail.

And the trail logs should be delivered to the log streams of a new CloudWatch Log group.

To configure that, an IAM role is required for AWS CloudTrail to assume.

Which of the following IAM permissions should the IAM role have? (Select TWO.)

Answers

A. logs:CreateLogStream

B. logs:*

C. logs:PutLogEvents

D. S3:*

E. CloudWatch:ForwardLogEvents.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: A and C.

Options A and C are CORRECT because when users enable CloudWatch Logs in a new trail, they need to configure an IAM role with suitable permissions:

With this role, CloudTrail will be able to create CloudWatch Log streams of the new Log Group first and then put events into the log streams.

“logs:CreateLogStream” is required to create new log streams for the Log Group.

“logs:PutLogEvents” is required for delivering CloudTrail events to the log streams in CloudWatch.

Option B is incorrect because “logs:*” means all CloudWatch Log permissions, which is not needed in this scenario.

Option D is incorrect because delivering events to CloudWatch logs does not need S3 permissions.

Option E is incorrect because the permission “CloudWatch:ForwardLogEvents” is invalid.

The correct CloudWatch Log permission should be “logs:PutLogEvents”.

Reference:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-required-policy-for-cloudwatch-logs.html

CloudWatch Logs - optional

Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Standard CloudWatch and CloudWatch Logs
charges apply. Learn more [7

CloudWatch Logs Info
Enabled

Log group Info
© New
Existing

Log group name

aws-cloudtrail-logs-test|

1-512 characters. Only letters, numbers, dashes, underscores, forward slashes, and periods are allowed.

IAM Role Info
AWS CloudTrail assumes this role to send CloudTrail events to your CloudWatch Logs log group.

© New
© Existing

Role name

Choose an IAM role

To create a new trail that logs both management events and data events in AWS CloudTrail, and deliver the trail logs to the log streams of a new CloudWatch Log group, an IAM role with specific permissions is required. The IAM role will be assumed by AWS CloudTrail, which will use it to write to the CloudWatch Logs log group.

The following two IAM permissions are required for the IAM role:

logs:CreateLogStream: This permission allows the IAM role to create a new log stream in the CloudWatch Logs log group. When a new log stream is created, AWS CloudTrail can start writing to it.
logs:PutLogEvents: This permission allows the IAM role to put log events into the log streams of the CloudWatch Logs log group. AWS CloudTrail uses this permission to write the trail logs to the log streams.

Therefore, the correct answers are A. logs:CreateLogStream and C. logs:PutLogEvents.

Option B. logs:* gives the IAM role full access to CloudWatch Logs, which is more permissions than necessary and may result in the IAM role being able to perform unintended actions.

Option D. S3:* is not relevant to the requirement mentioned in the question, and is not required for CloudTrail to write logs to CloudWatch Logs.

Option E. CloudWatch:ForwardLogEvents is not a valid permission, and therefore is not relevant to the requirement mentioned in the question.

Prev Question Next Question