IAM Policy for CloudWatch Logs Writing
Create an IAM policy allowing a service or application to create log groups, log streams, and push log events to CloudWatch Logs.
Detailed Explanation
CloudWatch Logs Writer Policy
Almost every AWS workload needs to write logs to CloudWatch. Lambda execution roles, ECS task execution roles, EC2 instance profiles, and custom applications all need this policy.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudWatchLogsWrite",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/myapp/*",
"arn:aws:logs:us-east-1:123456789012:log-group:/myapp/*:*"
]
}
]
}
Resource ARN Patterns
CloudWatch Logs uses a two-level ARN structure:
- Log group level:
arn:aws:logs:region:account:log-group:name— needed forCreateLogGroupandDescribeLogGroups. - Log stream level:
arn:aws:logs:region:account:log-group:name:*— needed forCreateLogStreamandPutLogEvents.
The :* suffix on the second ARN matches all log streams within the log group.
Scoping by Application
Use a log group name prefix (like /myapp/) to scope permissions. This prevents the service from writing to other applications' log groups. Each microservice can have its own prefix.
CreateLogGroup
Including logs:CreateLogGroup is convenient for first-time setup but optional if you pre-create log groups via CloudFormation or Terraform. Without it, the service can only write to existing log groups.
Describe Actions
DescribeLogGroups and DescribeLogStreams are read-only but needed by many logging libraries that check for existing groups/streams before creating new ones.
Use Case
Lambda functions, ECS services, EC2 applications, and custom workloads that need to ship structured logs to CloudWatch for centralized monitoring, alerting, and analysis.